Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6a7e35.msi

Overview

General Information

Sample name:6a7e35.msi
Analysis ID:1583002
MD5:b3ad59ac513d378e7fa7321b06b2039a
SHA1:83f2542b7448bb78483be186f52a91808b9caf21
SHA256:800f0f4fdc891a092ab39c72e59a13119bec9238b7643584605dae5870e897d7
Tags:HUNmsiuser-smica83
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7552 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\6a7e35.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7584 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7688 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7872 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • obs-ffmpeg-mux.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)
        • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Script Interpreter Execution From Suspicious Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7688, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7872, ProcessName: powershell.exe
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7688, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7872, ProcessName: powershell.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7688, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7872, ProcessName: powershell.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.32.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
    Sigma detected: Suspicious MsiExec Embedding Parent
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7688, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7872, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7688, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7872, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-01T12:35:14.320447+010028292021A Network Trojan was detected192.168.2.449730104.21.32.1443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}Jump to behavior
    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: 6a7e35.msi, MSIF168.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1835867305.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: 6a7e35.msi, MSIF168.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 6a7e35.msi, MSID2B2.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000000.1840463013.00007FF7B7AB5000.00000002.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1835867305.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 6a7e35.msi, MSID2B2.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 6a7e35.msi, MSID186.tmp.1.dr, MSID312.tmp.1.dr, MSID214.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.32.1:443
    Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: blamedical.com
    Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: blamedical.comContent-Length: 71Cache-Control: no-cache
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: createdump.exe.1.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
    Source: createdump.exe.1.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: avformat-60.dll.1.drString found in binary or memory: http://dashif.org/guidelines/trickmode
    Source: powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: 6a7e35.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 49c7b5.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: powershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: http://schemas.micj
    Source: powershell.exe, 00000003.00000002.1783673275.00000000050A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: avformat-60.dll.1.drString found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com01
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com02
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com05
    Source: powershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: createdump.exe.1.drString found in binary or memory: http://www.certum.pl/CPS0
    Source: 6a7e35.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 49c7b5.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1845302474.00007FFDF9AB0000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.videolan.org/x264.html
    Source: zlib.dll.1.drString found in binary or memory: http://www.zlib.net/D
    Source: powershell.exe, 00000003.00000002.1783673275.00000000050A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: https://blamedical.com/updater.phpx
    Source: powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1783673275.0000000005761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: createdump.exe.1.drString found in binary or memory: https://www.certum.pl/CPS0
    Source: 6a7e35.msi, 49c7b5.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\49c7b2.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID118.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID186.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID214.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID263.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B2.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2E2.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID312.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF168.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6A9.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6BA.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\49c7b5.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\49c7b5.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID118.tmpJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF7B7AB2A1010_2_00007FF7B7AB2A10
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF7B7AB2EE010_2_00007FF7B7AB2EE0
    Source: avcodec-60.dll.1.drStatic PE information: Number of sections : 13 > 10
    Source: avutil-58.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swresample-4.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swscale-7.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: zlib.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: avformat-60.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs 6a7e35.msi
    Source: 6a7e35.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 6a7e35.msi
    Source: classification engineClassification label: mal68.evad.winMSI@17/88@1/1
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLFEBF.tmpJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF9F345824C5247150.TMPJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\6a7e35.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3ADJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: dbgcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: obs.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avcodec-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avformat-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: w32-pthreads.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: swresample-4.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}Jump to behavior
    Source: 6a7e35.msiStatic file information: File size 60710717 > 1048576
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: 6a7e35.msi, MSIF168.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1835867305.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: 6a7e35.msi, MSIF168.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 6a7e35.msi, MSID2B2.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000000.1840463013.00007FF7B7AB5000.00000002.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1835867305.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 6a7e35.msi, MSID2B2.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 6a7e35.msi, MSID186.tmp.1.dr, MSID312.tmp.1.dr, MSID214.tmp.1.dr, 49c7b5.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: 6a7e35.msi, 49c7b5.msi.1.dr
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
    Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
    Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
    Source: createdump.exe.1.drStatic PE information: section name: _RDATA
    Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
    Source: avformat-60.dll.1.drStatic PE information: section name: .xdata
    Source: avutil-58.dll.1.drStatic PE information: section name: .xdata
    Source: swresample-4.dll.1.drStatic PE information: section name: .xdata
    Source: swscale-7.dll.1.drStatic PE information: section name: .xdata
    Source: zlib.dll.1.drStatic PE information: section name: .xdata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .rodata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .xdata
    Source: MSIF6BA.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID118.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID186.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID214.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID263.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID2B2.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID2E2.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID312.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIF168.tmp.1.drStatic PE information: section name: .fptable
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04B4BDAC push esp; ret 3_2_04B4BDB3
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6BA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID118.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID263.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID312.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF168.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID186.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID214.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2E2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6BA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID118.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID263.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2E2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID312.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF168.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID186.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID214.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3060Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1569Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6BA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID312.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF168.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID186.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID214.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID2B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID118.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID263.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID2E2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeAPI coverage: 8.2 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep count: 3060 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep count: 1569 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: 49c7b5.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1845302474.00007FFDF969A000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Video @
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1845302474.00007FFDF958D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware Screen Codec / VMware Video
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 7_2_00007FF68C7B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF68C7B2ECC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 7_2_00007FF68C7B2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF68C7B2984
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 7_2_00007FF68C7B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF68C7B2ECC
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 7_2_00007FF68C7B3074 SetUnhandledExceptionFilter,7_2_00007FF68C7B3074
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF7B7AB3E04 SetUnhandledExceptionFilter,10_2_00007FF7B7AB3E04
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF7B7AB3774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF7B7AB3774
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF7B7AB3C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF7B7AB3C5C

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssf731.ps1" -propfile "c:\users\user\appdata\local\temp\msif72e.txt" -scriptfile "c:\users\user\appdata\local\temp\scrf72f.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrf730.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssf731.ps1" -propfile "c:\users\user\appdata\local\temp\msif72e.txt" -scriptfile "c:\users\user\appdata\local\temp\scrf72f.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrf730.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 7_2_00007FF68C7B2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF68C7B2DA0

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		1
    Replication Through Removable Media    		1
    Command and Scripting Interpreter    		1
    Windows Service    		1
    Windows Service    		21
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    Scripting    		11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory111
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    DLL Side-Loading    		121
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS121
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583002 Sample: 6a7e35.msi Startdate: 01/01/2025 Architecture: WINDOWS Score: 68 49 blamedical.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 138 104 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIF6BA.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIF168.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSID312.tmp, PE32 9->39 dropped 41 51 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 blamedical.com 104.21.32.1, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrF72F.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssF731.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiF72E.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 obs-ffmpeg-mux.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    6a7e35.msi5%ReversingLabs
    6a7e35.msi7%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dll3%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dll0%ReversingLabs
    C:\Windows\Installer\MSID118.tmp0%ReversingLabs
    C:\Windows\Installer\MSID186.tmp0%ReversingLabs
    C:\Windows\Installer\MSID214.tmp0%ReversingLabs
    C:\Windows\Installer\MSID263.tmp0%ReversingLabs
    C:\Windows\Installer\MSID2B2.tmp0%ReversingLabs
    C:\Windows\Installer\MSID2E2.tmp0%ReversingLabs
    C:\Windows\Installer\MSID312.tmp0%ReversingLabs
    C:\Windows\Installer\MSIF168.tmp0%ReversingLabs
    C:\Windows\Installer\MSIF6BA.tmp0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://blamedical.com/updater.php0%Avira URL Cloudsafe
    http://schemas.micj0%Avira URL Cloudsafe
    https://blamedical.com/updater.phpx0%Avira URL Cloudsafe
    http://ccsca2021.ocsp-certum.com050%Avira URL Cloudsafe
    http://dashif.org/guidelines/trickmode0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    blamedical.com
    		104.21.32.1
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://blamedical.com/updater.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.certum.pl/ctsca2021.crl0ocreatedump.exe.1.drfalse
          		high
          http://repository.certum.pl/ctnca.cer09createdump.exe.1.drfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.certum.pl/ctnca.crl0kcreatedump.exe.1.drfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000003.00000002.1783673275.0000000005761000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.micj6a7e35.msi, 49c7b5.msi.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsdavformat-60.dll.1.drfalse
                          		high
                          http://ccsca2021.crl.certum.pl/ccsca2021.crl0screatedump.exe.1.drfalse
                            		high
                            https://www.certum.pl/CPS0createdump.exe.1.drfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1783673275.00000000051F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://repository.certum.pl/ccsca2021.cer0createdump.exe.1.drfalse
                                  		high
                                  http://repository.certum.pl/ctsca2021.cer0createdump.exe.1.drfalse
                                    		high
                                    https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1783673275.00000000050A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://subca.ocsp-certum.com05createdump.exe.1.drfalse
                                        		high
                                        http://www.zlib.net/Dzlib.dll.1.drfalse
                                          		high
                                          http://subca.ocsp-certum.com02createdump.exe.1.drfalse
                                            		high
                                            http://subca.ocsp-certum.com01createdump.exe.1.drfalse
                                              		high
                                              http://www.videolan.org/x264.htmlobs-ffmpeg-mux.exe, 0000000A.00000002.1845302474.00007FFDF9AB0000.00000002.00000001.01000000.00000008.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1785734602.000000000610D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://dashif.org/guidelines/trickmodeavformat-60.dll.1.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.certum.pl/ctnca2.crl0lcreatedump.exe.1.drfalse
                                                      		high
                                                      http://repository.certum.pl/ctnca2.cer09createdump.exe.1.drfalse
                                                        		high
                                                        http://ccsca2021.ocsp-certum.com05createdump.exe.1.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://aka.ms/winui2/webview2download/Reload():6a7e35.msi, 49c7b5.msi.1.drfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1783673275.00000000050A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.certum.pl/CPS0createdump.exe.1.drfalse
                                                              		high
                                                              https://blamedical.com/updater.phpx6a7e35.msi, 49c7b5.msi.1.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.32.1
                                                              		blamedical.comUnited States
                                                              		13335CLOUDFLARENETUStrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1583002
                                                              Start date and time:2025-01-01 12:34:14 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 28s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:15
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:6a7e35.msi
                                                              Detection:MAL
                                                              Classification:mal68.evad.winMSI@17/88@1/1
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 13
                                                              • Number of non-executed functions: 35
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .msi

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 7328 because there are no executed function
                                                              • Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              06:35:15API Interceptor6x Sleep call for process: powershell.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              104.21.32.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                              • redroomaudio.com/administrator/index.php

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUShttp://tracking.b2bmktvault.com/tracking/click?d=qPk_c18mu4tAnpVkjkvM74XnWEgCEJFMr0kmnRaZVETZIbfUm-V7axMnjqAoCLnqzaVyNRK36FUkPva8vnzGVvH9cqu1JpLb-vxN3FkjjYhK51_3JrkS14Hcuqb1FOJE1bnSPADYUAMl8knPwYz7btXcOUX9DY4_AjytTbLRGEQ0R8vUhh6vaa-KBtd0YdWGVJFQli_mKczqrYpzYk33dCMwBXQR8R8u2JajJsC51OFcIlRSs_l3i1d9MQf5ZYWuxV_Ytx1pTi2iUY6P97JH0U81Get hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              http://tracking.b2bmktvault.com/tracking/click?d=qPk_c18mu4tAnpVkjkvM74XnWEgCEJFMr0kmnRaZVETZIbfUm-V7axMnjqAoCLnqzaVyNRK36FUkPva8vnzGVvH9cqu1JpLb-vxN3FkjjYhK51_3JrkS14Hcuqb1FOJE1bnSPADYUAMl8knPwYz7btXcOUX9DY4_AjytTbLRGEQ0R8vUhh6vaa-KBtd0YdWGu732v1MZ_EelGtWldAkkdtYGfnD-GIQEN8fgQfvllyKpzr3-J0fwpuBZsUPy3J_TvPM8sfKRevcMTcDv6eAynng1Get hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.99.10
                                                              vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.99.10
                                                              dropper.exeGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              1.ps1Get hashmaliciousUnknownBrowse
                                                              • 172.67.144.62
                                                              https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                              • 188.114.97.3
                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.30.45

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37f463bf4616ecd445d4a1937da06e19ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              0000000000000000.exeGet hashmaliciousNitolBrowse
                                                              • 104.21.32.1
                                                              0000000000000000.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              1.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.32.1
                                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                              • 104.21.32.1
                                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                              • 104.21.32.1

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                        48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                                            TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                                                              b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                  C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exesetup.msiGet hashmaliciousUnknownBrowse
                                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                                                            48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                                TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                                                                                  b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                                                                                    setup.msiGet hashmaliciousUnknownBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\Config.Msi\49c7b4.rbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):20058
                                                                                                      Entropy (8bit):5.844922649416341
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:nX2sOKtNAVnfExtXFGdkkGeGNXySFcmorn2+L/Bhon0/z84WtL1ya9KPNnQw6Qwr:nX2sOKtNAVnfExtXFGdkkGeGNXySFcm3
                                                                                                      MD5:1E99393972FC36038622B79B3ED4A98C
                                                                                                      SHA1:F1376427938CDB4D04C58BABBAED7F8E14D75A8F
                                                                                                      SHA-256:4CF5FBC2B42A73CA9D0D06D3153D206EE6B1D4B86A6214CF60A19614B3BFD7AB
                                                                                                      SHA-512:E5B565F9550159A7E9B234A49714D7C907E5A0F14DA7F30DBED84EAFA32C4ED53EE3D2AF3E8ABAD097B7DEC69019CAA42D6214C96EA5C9E8ECC9A8FCD820D841
                                                                                                      Malicious:false
                                                                                                      Preview:...@IXOS.@.....@i4!Z.@.....@.....@.....@.....@.....@......&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}..Triund App..6a7e35.msi.@.....@.....@.....@......icon_24.exe..&.{EDA55411-36FB-4675-9E18-C9AA2E8C2AA8}.....@.....@.....@.....@.......@.....@.....@.......@......Triund App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{65C7DA5B-F0BA-4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):5.4119365212003565
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3yWSKco4KmZjKbm51s4RPTsIKoTmoUP7mZ9t7J0gt/NK3R82rqHSVbX:CWSU4xymI4RbqoUP7mZ9tK8NWR82XVbX
                                                                                                      MD5:3A6AC0EDE83CE742289D9F1488EB5D9D
                                                                                                      SHA1:9173A7CF628BC71A6207C99821C6169B021BFDC1
                                                                                                      SHA-256:1E9DB34A3AF5BCE7B1187247A61AB67FD67B24B734B6702154037EC57D3D2647
                                                                                                      SHA-512:644FAE1250D687D6BB681D9A5E4BC0932C77B58F5659BAEFEAF825AAB00BA7435A9C2AB96F110617ADA3BD26C24C7B559E043877F12DAB3A2FC6F00E20D705E5
                                                                                                      Malicious:false
                                                                                                      Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...4.....................@.[8]'.\........System.Data.@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e21jv40l.om5.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipk25x01.kpo.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\msiF72E.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):100
                                                                                                      Entropy (8bit):3.0073551160284637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                                                                      MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                                                                      SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                                                                      SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                                                                      SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                                                                      Malicious:true
                                                                                                      Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                                                      C:\Users\user\AppData\Local\Temp\pssF731.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6668
                                                                                                      Entropy (8bit):3.5127462716425657
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                                                      MD5:30C30EF2CB47E35101D13402B5661179
                                                                                                      SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                                                      SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                                                      SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                                                      Malicious:true
                                                                                                      Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                      C:\Users\user\AppData\Local\Temp\scrF72F.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):254
                                                                                                      Entropy (8bit):3.555045878547657
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                                                                      MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                                                                      SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                                                                      SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                                                                      SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                                                                      Malicious:true
                                                                                                      Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Installer\{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}\icon_24.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                                      Category:dropped
                                                                                                      Size (bytes):195906
                                                                                                      Entropy (8bit):4.669224805215773
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                                                                      MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                                                                      SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                                                                      SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                                                                      SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                                                                      Malicious:false
                                                                                                      Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):310928
                                                                                                      Entropy (8bit):6.001677789306043
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                                                      MD5:147B71C906F421AC77F534821F80A0C6
                                                                                                      SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                                                      SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                                                      SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                                                                      • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):506008
                                                                                                      Entropy (8bit):6.4284173495366845
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                                                      MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                                                      SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                                                      SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                                                      SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                                                                      • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12224
                                                                                                      Entropy (8bit):6.596101286914553
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                                                      MD5:919E653868A3D9F0C9865941573025DF
                                                                                                      SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                                                      SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                                                      SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12224
                                                                                                      Entropy (8bit):6.640081558424349
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                                                      MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                                                      SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                                                      SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                                                      SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11712
                                                                                                      Entropy (8bit):6.6023398138369505
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                                                      MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                                                      SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                                                      SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                                                      SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.614262942006268
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                                                      MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                                                      SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                                                      SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                                                      SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.654155040985372
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                                                      MD5:94788729C9E7B9C888F4E323A27AB548
                                                                                                      SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                                                      SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                                                      SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15304
                                                                                                      Entropy (8bit):6.548897063441128
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                                                      MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                                                      SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                                                      SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                                                      SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11712
                                                                                                      Entropy (8bit):6.622041192039296
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                                                      MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                                                      SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                                                      SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                                                      SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.730719514840594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                                                      MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                                                      SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                                                      SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                                                      SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.626458901834476
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                                                      MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                                                      SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                                                      SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                                                      SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12232
                                                                                                      Entropy (8bit):6.577869728469469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                                                      MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                                                      SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                                                      SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                                                      SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11712
                                                                                                      Entropy (8bit):6.6496318655699795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                                                      MD5:A038716D7BBD490378B26642C0C18E94
                                                                                                      SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                                                      SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                                                      SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12736
                                                                                                      Entropy (8bit):6.587452239016064
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                                                      MD5:D75144FCB3897425A855A270331E38C9
                                                                                                      SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                                                      SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                                                      SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14280
                                                                                                      Entropy (8bit):6.658205945107734
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                                                      MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                                                      SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                                                      SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                                                      SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12224
                                                                                                      Entropy (8bit):6.621310788423453
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                                                      MD5:808F1CB8F155E871A33D85510A360E9E
                                                                                                      SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                                                      SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                                                      SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.7263193693903345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                                                      MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                                                      SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                                                      SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                                                      SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12744
                                                                                                      Entropy (8bit):6.601327134572443
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                                                      MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                                                      SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                                                      SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                                                      SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14272
                                                                                                      Entropy (8bit):6.519411559704781
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                                                      MD5:E173F3AB46096482C4361378F6DCB261
                                                                                                      SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                                                      SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                                                      SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12232
                                                                                                      Entropy (8bit):6.659079053710614
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                                                      MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                                                      SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                                                      SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                                                      SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11200
                                                                                                      Entropy (8bit):6.7627840671368835
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                                                      MD5:0233F97324AAAA048F705D999244BC71
                                                                                                      SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                                                      SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                                                      SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12224
                                                                                                      Entropy (8bit):6.590253878523919
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                                                      MD5:E1BA66696901CF9B456559861F92786E
                                                                                                      SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                                                      SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                                                      SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.672720452347989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                                                      MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                                                      SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                                                      SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                                                      SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):13760
                                                                                                      Entropy (8bit):6.575688560984027
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                                                      MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                                                      SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                                                      SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                                                      SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12232
                                                                                                      Entropy (8bit):6.70261983917014
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                                                      MD5:D175430EFF058838CEE2E334951F6C9C
                                                                                                      SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                                                      SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                                                      SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12744
                                                                                                      Entropy (8bit):6.599515320379107
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                                                      MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                                                      SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                                                      SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                                                      SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12232
                                                                                                      Entropy (8bit):6.690164913578267
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                                                      MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                                                      SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                                                      SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                                                      SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11720
                                                                                                      Entropy (8bit):6.615761482304143
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                                                      MD5:735636096B86B761DA49EF26A1C7F779
                                                                                                      SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                                                      SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                                                      SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12744
                                                                                                      Entropy (8bit):6.627282858694643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                                                      MD5:031DC390780AC08F498E82A5604EF1EB
                                                                                                      SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                                                      SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                                                      SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15816
                                                                                                      Entropy (8bit):6.435326465651674
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                                                      MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                                                      SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                                                      SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                                                      SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12232
                                                                                                      Entropy (8bit):6.5874576656353145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                                                      MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                                                      SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                                                      SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                                                      SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):13768
                                                                                                      Entropy (8bit):6.645869978118917
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                                                      MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                                                      SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                                                      SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                                                      SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37333152
                                                                                                      Entropy (8bit):6.632921864082428
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
                                                                                                      MD5:32F56F3E644C4AC8C258022C93E62765
                                                                                                      SHA1:06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
                                                                                                      SHA-256:85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
                                                                                                      SHA-512:CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5100112
                                                                                                      Entropy (8bit):6.374242928276845
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
                                                                                                      MD5:01589E66D46ABCD9ACB739DA4B542CE4
                                                                                                      SHA1:6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
                                                                                                      SHA-256:9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
                                                                                                      SHA-512:0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1089600
                                                                                                      Entropy (8bit):6.535744457220272
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
                                                                                                      MD5:3AAF57892F2D66F4A4F0575C6194F0F8
                                                                                                      SHA1:D65C9143603940EDE756D7363AB6750F6B45AB4E
                                                                                                      SHA-256:9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
                                                                                                      SHA-512:A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):57488
                                                                                                      Entropy (8bit):6.382541157520703
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                                                      MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                                      SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                                                      SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                                                      SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\iwhgjds.rar

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:RAR archive data, v5
                                                                                                      Category:dropped
                                                                                                      Size (bytes):405262
                                                                                                      Entropy (8bit):7.999548309296225
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:12288:wQyCdOxYtY4ESfIuP46tTG3nZrRUSU6sgVm:w5ElQurB0ZuT62
                                                                                                      MD5:6597C0FB47A283241507B8B8F85E7432
                                                                                                      SHA1:EC5353F27E9F1F50325D9D89B6AB0AD6A89870DA
                                                                                                      SHA-256:BBE26EA81568F4BFAB6426406BB6BC92C25A5BC55E8378C67D704ED0CB1411DD
                                                                                                      SHA-512:AF90A84763FAF384FB84D701B5D32C15D33AE9F9C1D3C767C14F0A63B1C4DC6FA338FC4639D717CE92416751A3126F8B7249186ED1AC6F9296E2229698FCEDB6
                                                                                                      Malicious:false
                                                                                                      Preview:Rar!.....r.2!......S....$....O........Z.4.h....Q....B.Cq......X...9....<.M!1.....B.RVI..%...9.Lr......U..*o/...r<.D......v2......R5Cu.':..%Ii...'.T....Y.*.\..9........d.../.i7..}..Z]..r. .k..j.&..oB..[....UO........dD.&.r.M...a7.Dm...8......%....,...+]B....r#.:|......k.\_..JmAD.i....`./..,:+..x.H.yB...5.(..2....(...f..1.3.#8....#x.y1n0.W....=........w.+...3..0i......~.4...._..2Z^3....uf......a...{rQY9n.bS...<...<v..>.;x.....R...J.|V..a.(.HTc..{...>(i..X.(7.>.d...G.2.....?.#...!.{2...meyV.y..yO...|?.\....o.....U@...Sgu.....b.B........!).P....c...o<BqC.@.-{.I.l..v.Z;..|..&..i....V]k.....G.B..I.r..g...1...>...1<.a...9u...I......l....|.....us..b.4R.;...._.q....Y..9....)Z..uTi.J....L......s..Zc...Ph..F.......e.t-.rm..A+K.7YC......@. ../.......r.o&..Z...J.{.R...]...U.T7x....!...#...!.9.<.%.......J..NOD.w?+...........*....V...bW.i......W......z.....C...@ .;......(Ty.1+...=..d..:.M.er.......O.\..k.N.b6W... ..A.W...y...3DVk'..._..^.z/9..*Y.).....P7V=

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):566704
                                                                                                      Entropy (8bit):6.494428734965787
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                                                      MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                                                      SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                                                      SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                                                      SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):35656
                                                                                                      Entropy (8bit):6.370522595411868
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
                                                                                                      MD5:D3CAC4D7B35BACAE314F48C374452D71
                                                                                                      SHA1:95D2980786BC36FEC50733B9843FDE9EAB081918
                                                                                                      SHA-256:4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
                                                                                                      SHA-512:21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22
                                                                                                      Entropy (8bit):3.879664004902594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                                                      MD5:D9324699E54DC12B3B207C7433E1711C
                                                                                                      SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                                                      SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                                                      SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                                                      Malicious:false
                                                                                                      Preview:@echo off..Start "" %1

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):158968
                                                                                                      Entropy (8bit):6.4238235663554955
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
                                                                                                      MD5:7FB892E2AC9FF6981B6411FF1F932556
                                                                                                      SHA1:861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
                                                                                                      SHA-256:A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
                                                                                                      SHA-512:986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):707200
                                                                                                      Entropy (8bit):6.610520126248797
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
                                                                                                      MD5:1144E36E0F8F739DB55A7CF9D4E21E1B
                                                                                                      SHA1:9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
                                                                                                      SHA-256:65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
                                                                                                      SHA-512:A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\classes.jsa

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12124160
                                                                                                      Entropy (8bit):4.1175508751036585
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                                                      MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                                                      SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                                                      SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                                                      SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                                                      Malicious:false
                                                                                                      Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.datatransfer.jmod

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Java jmod module version 1.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51389
                                                                                                      Entropy (8bit):7.916683616123071
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                                                      MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                                                      SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                                                      SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                                                      SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                                                      Malicious:false
                                                                                                      Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.instrument.jmod

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Java jmod module version 1.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41127
                                                                                                      Entropy (8bit):7.961466748192397
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                                                      MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                                                      SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                                                      SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                                                      SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                                                      Malicious:false
                                                                                                      Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.logging.jmod

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Java jmod module version 1.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):113725
                                                                                                      Entropy (8bit):7.928841651831531
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                                                      MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                                                      SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                                                      SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                                                      SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                                                      Malicious:false
                                                                                                      Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.management.jmod

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Java jmod module version 1.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):896846
                                                                                                      Entropy (8bit):7.923431656723031
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                                                      MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                                                      SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                                                      SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                                                      SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                                                      Malicious:false
                                                                                                      Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):639224
                                                                                                      Entropy (8bit):6.219852228773659
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                                                      MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                                                      SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                                                      SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                                                      SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):98224
                                                                                                      Entropy (8bit):6.452201564717313
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                      MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                      SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                      SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                      SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37256
                                                                                                      Entropy (8bit):6.297533243519742
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                                                      MD5:135359D350F72AD4BF716B764D39E749
                                                                                                      SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                                                      SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                                                      SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):53576
                                                                                                      Entropy (8bit):6.371750593889357
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
                                                                                                      MD5:E1EEBD44F9F4B52229D6E54155876056
                                                                                                      SHA1:052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
                                                                                                      SHA-256:D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
                                                                                                      SHA-512:235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):144200
                                                                                                      Entropy (8bit):6.592048391646652
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
                                                                                                      MD5:3A0DBC5701D20AA87BE5680111A47662
                                                                                                      SHA1:BC581374CA1EBE8565DB182AC75FB37413220F03
                                                                                                      SHA-256:D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
                                                                                                      SHA-512:4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

                                                                                                      C:\Windows\Installer\49c7b2.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDA55411-36FB-4675-9E18-C9AA2E8C2AA8}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 31 14:08:38 2024, Last Saved Time/Date: Tue Dec 31 14:08:38 2024, Last Printed: Tue Dec 31 14:08:38 2024, Number of Pages: 450
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60710717
                                                                                                      Entropy (8bit):7.214420219610554
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:786432:yrBtuVmrjV7eIAtenOTZaoh7DaY4Grgl0GzyKIjW8bExcjaa:yr+VmrjV7eIvnOTZacafvgWmCce
                                                                                                      MD5:B3AD59AC513D378E7FA7321B06B2039A
                                                                                                      SHA1:83F2542B7448BB78483BE186F52A91808B9CAF21
                                                                                                      SHA-256:800F0F4FDC891A092AB39C72E59A13119BEC9238B7643584605DAE5870E897D7
                                                                                                      SHA-512:F443ECA9A3FE58C6BF75A7223CC705B8C7019D230D31353926678B1334D58D8026A4AEF6FD30D939278E134B46721B08354305CDFFCA368C792B0AD5698B9849
                                                                                                      Malicious:false
                                                                                                      Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                                      C:\Windows\Installer\49c7b5.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDA55411-36FB-4675-9E18-C9AA2E8C2AA8}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 31 14:08:38 2024, Last Saved Time/Date: Tue Dec 31 14:08:38 2024, Last Printed: Tue Dec 31 14:08:38 2024, Number of Pages: 450
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60710717
                                                                                                      Entropy (8bit):7.214420219610554
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:786432:yrBtuVmrjV7eIAtenOTZaoh7DaY4Grgl0GzyKIjW8bExcjaa:yr+VmrjV7eIvnOTZacafvgWmCce
                                                                                                      MD5:B3AD59AC513D378E7FA7321B06B2039A
                                                                                                      SHA1:83F2542B7448BB78483BE186F52A91808B9CAF21
                                                                                                      SHA-256:800F0F4FDC891A092AB39C72E59A13119BEC9238B7643584605DAE5870E897D7
                                                                                                      SHA-512:F443ECA9A3FE58C6BF75A7223CC705B8C7019D230D31353926678B1334D58D8026A4AEF6FD30D939278E134B46721B08354305CDFFCA368C792B0AD5698B9849
                                                                                                      Malicious:false
                                                                                                      Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                                      C:\Windows\Installer\MSID118.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID186.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID214.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID263.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID2B2.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1201504
                                                                                                      Entropy (8bit):6.4557937684843365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                                                      MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                                                      SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                                                      SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                                                      SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID2E2.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSID312.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021792
                                                                                                      Entropy (8bit):6.608727172078022
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIF168.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):380520
                                                                                                      Entropy (8bit):6.512348002260683
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                                                      MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                                                      SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                                                      SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                                                      SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIF6A9.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):215345
                                                                                                      Entropy (8bit):4.946035211572181
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:KutT9WTi1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykurUZ:KA9p1Z0vZXJZYDFufyXbJNCc5
                                                                                                      MD5:C5B113D39F0E57C213A2E089447876BB
                                                                                                      SHA1:A97CBC146B77647E7C3784AD7C256EDE7D930BA0
                                                                                                      SHA-256:9EEC809F9B60A742D6CCF61378EE053167B8940E0F31C69C430B7D84DF390445
                                                                                                      SHA-512:835C3474E61BD7D8F07CD66FD349F858B9690883257F4C5946AE42D76E5D7B790687E21C02D2455BFEF0D6708651875991087A557E8D203420BB7BCB6B15475E
                                                                                                      Malicious:false
                                                                                                      Preview:...@IXOS.@.....@h4!Z.@.....@.....@.....@.....@.....@......&.{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}..Triund App..6a7e35.msi.@.....@.....@.....@......icon_24.exe..&.{EDA55411-36FB-4675-9E18-C9AA2E8C2AA8}.....@.....@.....@.....@.......@.....@.....@.......@......Triund App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}<.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}1.21:\Software\Ubrovs Apps Coops\Triund App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}E.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}L.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D

                                                                                                      C:\Windows\Installer\MSIF6BA.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):787808
                                                                                                      Entropy (8bit):6.693392695195763
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                                                      MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                                                      SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                                                      SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                                                      SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\SourceHash{65C7DA5B-F0BA-4729-9DEF-3AF5FDD631B8}

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.1624391391950097
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JSbX72FjjQAGiLIlHVRpth/7777777777777777777777777vDHFwpWZmeIspSlN:JpQQI5p1meImF
                                                                                                      MD5:579FA46951EA33C66C2A6459F08B91F0
                                                                                                      SHA1:2D6C73AC823B49650353351E692A345D8B7B3B81
                                                                                                      SHA-256:ADD03CDB19B0575EFB5408E3B65592402470A6EFFB9214768C72BFDE81838B09
                                                                                                      SHA-512:5984E82808084774F1878AC4DD1C2AFF18C42ADA3CF59648FA7985662C097E0BB024F47DA046B186E3E37D41E8B1CBF009F1504F71DE4C6FE66A204416F4D5A3
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.5684578526813984
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:98PhuuRc06WXJ8FT5mZwCAECiCyDSCpoTMUXuASC4TPA:ghu1fFT4KEC8IX1T
                                                                                                      MD5:D8D79B71CED0F593156C7ADEEF41619A
                                                                                                      SHA1:99777EF4A0DACC969920FEA26F57DB75494CA27B
                                                                                                      SHA-256:DC4002914293B039E9798A200EE49027707DCAE720FA7598335EAA5F07ACF1E9
                                                                                                      SHA-512:D41E09D242F5FA6B60D0A9F209F78436A6C9BE243D957C4E8056A2613A418D24D24ACA2235ED4827D03014FA0CA1FD7C9707EAEDEA39641EA9034AA441B20126
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):432221
                                                                                                      Entropy (8bit):5.375164711870948
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauQ:zTtbmkExhMJCIpEr5
                                                                                                      MD5:5A4219D978F92394B63AFDFEBA72C9E9
                                                                                                      SHA1:5ED62F66CF76886FF77C6CE09761FFCDA80D16C8
                                                                                                      SHA-256:679C2A4A58283734C9516EC9055CE045D4C012288AFB1EAF6F4BD3C7A8BAF714
                                                                                                      SHA-512:DBEFDB15718AB50E8E1B1311274B985DFFDE984CF849065D7D9A433B34D2F69CB2C0312E2E324536E29C01B59CA52915CA8486731042211A1C09393E18741018
                                                                                                      Malicious:false
                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                      C:\Windows\Temp\~DF1331CC68E536B1D0.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.256485742057103
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4RmuAO+CFXJxT5EkZwCAECiCyDSCpoTMUXuASC4TPA:wmCJTuYKEC8IX1T
                                                                                                      MD5:9721BCE83530EF1F1E18EC8551D3D6E2
                                                                                                      SHA1:0235B42A1D9747C69E5370D578BEB6DBC722F846
                                                                                                      SHA-256:F17E0A788309F76A816FE091BE35D2973DEEBB63A0D59C96162CB01E10192283
                                                                                                      SHA-512:7153549BD87EF615BF2F934E121DC3B840F33D8F9337950EE04B287BA40B9C2CA66885E7F3155BEE6F04FD36719473DEC70EEE7964D279C84EAC7F716E450499
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF47B0B5B10C0B493F.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF570E1B6623F13E92.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.256485742057103
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4RmuAO+CFXJxT5EkZwCAECiCyDSCpoTMUXuASC4TPA:wmCJTuYKEC8IX1T
                                                                                                      MD5:9721BCE83530EF1F1E18EC8551D3D6E2
                                                                                                      SHA1:0235B42A1D9747C69E5370D578BEB6DBC722F846
                                                                                                      SHA-256:F17E0A788309F76A816FE091BE35D2973DEEBB63A0D59C96162CB01E10192283
                                                                                                      SHA-512:7153549BD87EF615BF2F934E121DC3B840F33D8F9337950EE04B287BA40B9C2CA66885E7F3155BEE6F04FD36719473DEC70EEE7964D279C84EAC7F716E450499
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF582B6D2E20769784.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF801A743B2F75980F.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF95F03688D916DEC2.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF9C64DD82C391CEEF.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.256485742057103
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4RmuAO+CFXJxT5EkZwCAECiCyDSCpoTMUXuASC4TPA:wmCJTuYKEC8IX1T
                                                                                                      MD5:9721BCE83530EF1F1E18EC8551D3D6E2
                                                                                                      SHA1:0235B42A1D9747C69E5370D578BEB6DBC722F846
                                                                                                      SHA-256:F17E0A788309F76A816FE091BE35D2973DEEBB63A0D59C96162CB01E10192283
                                                                                                      SHA-512:7153549BD87EF615BF2F934E121DC3B840F33D8F9337950EE04B287BA40B9C2CA66885E7F3155BEE6F04FD36719473DEC70EEE7964D279C84EAC7F716E450499
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF9F345824C5247150.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73728
                                                                                                      Entropy (8bit):0.13879480059370708
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:WYu5bTxkrcipVkrukrGAEVkryjCyDipVkrFV2BwGHZMU80B+OGSau:jAbTeASCVCAECiCyDSCpoTMUXBz
                                                                                                      MD5:BEB6683DDB028272FF20CD0705FD92F4
                                                                                                      SHA1:9E806C70D69BD84B4EA20842B079BA5FECD3D2A9
                                                                                                      SHA-256:9BCE2580179B35FC19B6338DD64BE9353E51FCF1C3853B418B3AAECCA2F1EC77
                                                                                                      SHA-512:FFECC45ED70895A01D3BD81E1CF1F1418D691FAC44D17C8382B772BA1CF8D73600F487FD7B089ED499BFC8C4914E8F6F780809F8E8EBAD7955271278A5A3C22A
                                                                                                      Malicious:false
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFC8513A20A805BA73.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.5684578526813984
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:98PhuuRc06WXJ8FT5mZwCAECiCyDSCpoTMUXuASC4TPA:ghu1fFT4KEC8IX1T
                                                                                                      MD5:D8D79B71CED0F593156C7ADEEF41619A
                                                                                                      SHA1:99777EF4A0DACC969920FEA26F57DB75494CA27B
                                                                                                      SHA-256:DC4002914293B039E9798A200EE49027707DCAE720FA7598335EAA5F07ACF1E9
                                                                                                      SHA-512:D41E09D242F5FA6B60D0A9F209F78436A6C9BE243D957C4E8056A2613A418D24D24ACA2235ED4827D03014FA0CA1FD7C9707EAEDEA39641EA9034AA441B20126
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFCACDF4A9DD4A2C9D.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.0694741882966888
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOwhqaWsOmzeIL1QVky6lS:2F0i8n0itFzDHFwpWZmeINS
                                                                                                      MD5:2E3E91A320755228508CD3C0E969FA04
                                                                                                      SHA1:AF65C25B75914A80949C7E7E990CB31365FEA6A5
                                                                                                      SHA-256:6736AA373CAB7A1605E7F18DFADA659911DA2B1855D26B2EEB7084D3362F362D
                                                                                                      SHA-512:24E6B66FDFBE2D94D3C01AC31DA351683F09B2AA8536071C7AC8C99303D85D2E43C84FE6E70264F03BFE31F5E419F8E519A1EFFDBDEEE8890AC67CAB55F9C272
                                                                                                      Malicious:false
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFE0692E484B5D6205.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.5684578526813984
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:98PhuuRc06WXJ8FT5mZwCAECiCyDSCpoTMUXuASC4TPA:ghu1fFT4KEC8IX1T
                                                                                                      MD5:D8D79B71CED0F593156C7ADEEF41619A
                                                                                                      SHA1:99777EF4A0DACC969920FEA26F57DB75494CA27B
                                                                                                      SHA-256:DC4002914293B039E9798A200EE49027707DCAE720FA7598335EAA5F07ACF1E9
                                                                                                      SHA-512:D41E09D242F5FA6B60D0A9F209F78436A6C9BE243D957C4E8056A2613A418D24D24ACA2235ED4827D03014FA0CA1FD7C9707EAEDEA39641EA9034AA441B20126
                                                                                                      Malicious:false
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFE2EAE8821FE41881.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      \Device\ConDrv

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):638
                                                                                                      Entropy (8bit):4.751962275036146
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                                                      MD5:15CA959638E74EEC47E0830B90D0696E
                                                                                                      SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                                                      SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                                                      SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                                                      Malicious:false
                                                                                                      Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDA55411-36FB-4675-9E18-C9AA2E8C2AA8}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 31 14:08:38 2024, Last Saved Time/Date: Tue Dec 31 14:08:38 2024, Last Printed: Tue Dec 31 14:08:38 2024, Number of Pages: 450
                                                                                                      Entropy (8bit):7.214420219610554
                                                                                                      TrID:
                                                                                                      • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                                                      File name:6a7e35.msi
                                                                                                      File size:60'710'717 bytes
                                                                                                      MD5:b3ad59ac513d378e7fa7321b06b2039a
                                                                                                      SHA1:83f2542b7448bb78483be186f52a91808b9caf21
                                                                                                      SHA256:800f0f4fdc891a092ab39c72e59a13119bec9238b7643584605dae5870e897d7
                                                                                                      SHA512:f443eca9a3fe58c6bf75a7223cc705b8c7019d230d31353926678b1334d58d8026a4aef6fd30d939278e134b46721b08354305cdffca368c792b0ad5698b9849
                                                                                                      SSDEEP:786432:yrBtuVmrjV7eIAtenOTZaoh7DaY4Grgl0GzyKIjW8bExcjaa:yr+VmrjV7eIvnOTZacafvgWmCce
                                                                                                      TLSH:8BD76C01B3FA4148F2F75E717EBA85A594BABD521B30C0EF1244A60E1B71BC25BB1763
                                                                                                      File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                                                      File Icon

                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-01-01T12:35:14.320447+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.32.1443TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 1, 2025 12:35:13.776005030 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:13.776051044 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:13.776140928 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:13.779757023 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:13.779788017 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.273823977 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.273889065 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.316327095 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.316354990 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.316711903 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.316764116 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.320283890 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.320346117 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.320382118 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795245886 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795322895 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795350075 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795397997 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795484066 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795567989 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795583010 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795623064 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795694113 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795710087 CET44349730104.21.32.1192.168.2.4
                                                                                                      Jan 1, 2025 12:35:14.795726061 CET49730443192.168.2.4104.21.32.1
                                                                                                      Jan 1, 2025 12:35:14.795774937 CET49730443192.168.2.4104.21.32.1

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 1, 2025 12:35:13.759398937 CET6393753192.168.2.41.1.1.1
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET53639371.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Jan 1, 2025 12:35:13.759398937 CET192.168.2.41.1.1.10x9f25Standard query (0)blamedical.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.32.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.48.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.64.1A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 12:35:13.772197008 CET1.1.1.1192.168.2.40x9f25No error (0)blamedical.com104.21.80.1A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • blamedical.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449730104.21.32.14437688C:\Windows\SysWOW64\msiexec.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 11:35:14 UTC192OUTPOST /updater.php HTTP/1.1
                                                                                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                                                      User-Agent: AdvancedInstaller
                                                                                                      Host: blamedical.com
                                                                                                      Content-Length: 71
                                                                                                      Cache-Control: no-cache
                                                                                                      2025-01-01 11:35:14 UTC71OUTData Raw: 44 61 74 65 3d 30 31 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 30 36 25 33 41 33 35 25 33 41 31 33 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                                                      Data Ascii: Date=01%2F01%2F2025&Time=06%3A35%3A13&BuildVersion=8.9.9&SoroqVins=True
                                                                                                      2025-01-01 11:35:14 UTC835INHTTP/1.1 500 Internal Server Error
                                                                                                      Date: Wed, 01 Jan 2025 11:35:14 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-store
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VCEzDRKW7LYmjFh%2Fzv1Cs3NZZ7LnGDPXx9S0C5aBC8qZRu6Ws5YNraQlawuZbeFV58SIXv8E%2F7QXmNkEeWEqic9wHyelXRDF2XE%2B%2FjkMw9hwdkN2tZK8lrkwBapt2xxWcw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb2346add1d41a6-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1584&rtt_var=595&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=923&delivery_rate=1837633&cwnd=239&unsent_bytes=0&cid=639d4a41a69f1840&ts=537&x=0"
                                                                                                      2025-01-01 11:35:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:06:35:02
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\6a7e35.msi"
                                                                                                      Imagebase:0x7ff7e28c0000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:06:35:02
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                      Imagebase:0x7ff7e28c0000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:06:35:04
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B8D344171FDCF9A94B1EF3DC3F4CA3AD
                                                                                                      Imagebase:0xd00000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:06:35:14
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssF731.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiF72E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrF72F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrF730.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                                                      Imagebase:0x90000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:06:35:14
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
                                                                                                      Imagebase:0x7ff7751d0000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"
                                                                                                      Imagebase:0x7ff68c7b0000
                                                                                                      File size:57'488 bytes
                                                                                                      MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"
                                                                                                      Imagebase:0x7ff7b7ab0000
                                                                                                      File size:35'656 bytes
                                                                                                      MD5 hash:D3CAC4D7B35BACAE314F48C374452D71
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:06:35:21
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 07A71B34 Relevance: 4.3, Strings: 3, Instructions: 522COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1787278321.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7a70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q$$^q
                                                                                                        • API String ID: 0-831282457
                                                                                                        • Opcode ID: 6074c92165eefa5bb78c025601f98eb1c88031c83b5fbf31104a316d003ea377
                                                                                                        • Instruction ID: dac0ff0a97b23171f0cba531d7f1537fca27d75ae173a9c61b09936d9dac7a0f
                                                                                                        • Opcode Fuzzy Hash: 6074c92165eefa5bb78c025601f98eb1c88031c83b5fbf31104a316d003ea377
                                                                                                        • Instruction Fuzzy Hash: 6D8179B170434E9FCB258FA8DC506AA7FF2AFC6210F14846AD865CF292DB35C945C791
                                                                                                        Function 04B48BC8 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: V
                                                                                                        • API String ID: 0-1342839628
                                                                                                        • Opcode ID: 0bbed63cab8d2b57953d54e4a5e74d25454a118fdddd228df019bcafac3933a7
                                                                                                        • Instruction ID: 5458e337c49821dc2a16c517f81fc72872dc0700a1edad7693d490af2f939b6c
                                                                                                        • Opcode Fuzzy Hash: 0bbed63cab8d2b57953d54e4a5e74d25454a118fdddd228df019bcafac3933a7
                                                                                                        • Instruction Fuzzy Hash: F771CF30A042498FCB14EF68D884A9EFBF2FF85304F1485AEE456EB655DB71AC45CB50
                                                                                                        Function 04B48478 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 01a5772068b5e6211d0fedda494c983bf285c2c3a240956d71664ff8f36b044b
                                                                                                        • Instruction ID: d23db2ed787e307fb8fdcf4df8f0b648293ad024ede45f98425f41337532d3a8
                                                                                                        • Opcode Fuzzy Hash: 01a5772068b5e6211d0fedda494c983bf285c2c3a240956d71664ff8f36b044b
                                                                                                        • Instruction Fuzzy Hash: F8A19E39A002089FDB14EFA5D944AADBBF2FFC4350F118559D406AF368DB34AD49DB80
                                                                                                        Function 04B48D36 Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c43e4ca9d2b817aeee94494ecefbf70fc8c59beba81e884a980a05dce7f4f8b1
                                                                                                        • Instruction ID: 920e2392ae32e6e7f05d76583f6db8b43a0ee1200a752c4faacbd19c15b81193
                                                                                                        • Opcode Fuzzy Hash: c43e4ca9d2b817aeee94494ecefbf70fc8c59beba81e884a980a05dce7f4f8b1
                                                                                                        • Instruction Fuzzy Hash: 16718034E01208DFDB14EFA4D884AADBBF2FF89304F14886DD416AB255DB30AD45DB41
                                                                                                        Function 04B48959 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a7572e8d8848c919f63e272ccf388803cae0522f937ee3f6338c7f05325c3c5e
                                                                                                        • Instruction ID: be78fe377eb2f6b90434884ea6e19a23d94cdd06a88caf90ebd7efbbec87a57e
                                                                                                        • Opcode Fuzzy Hash: a7572e8d8848c919f63e272ccf388803cae0522f937ee3f6338c7f05325c3c5e
                                                                                                        • Instruction Fuzzy Hash: E6419F756042008FDB18EF64C458AAE7BF2EFC9750F0841A9E406EB3A4CF35AC41DB51
                                                                                                        Function 04B48BB3 Relevance: .1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5e261c22f424ad0329bf7f894dac99575ddd50de491694ff61c9bc5bcec2ac23
                                                                                                        • Instruction ID: 78b9632359bc505e82b94e6710031021004c918b4b1ad86104dfd90a37888802
                                                                                                        • Opcode Fuzzy Hash: 5e261c22f424ad0329bf7f894dac99575ddd50de491694ff61c9bc5bcec2ac23
                                                                                                        • Instruction Fuzzy Hash: 01417F70A01209CFDB18EFA9C88469DBBF2FF89304F14856DD046AF3A5DB70A845DB41
                                                                                                        Function 04B43A80 Relevance: .1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0fc06b49f16374c099fefa891e4902e439c4f30752742bfd67669e92c1295016
                                                                                                        • Instruction ID: 6a090bfaa2e059ee9b2d37e798a543b81419839e6ee6464ddc0716d0b8da3d5d
                                                                                                        • Opcode Fuzzy Hash: 0fc06b49f16374c099fefa891e4902e439c4f30752742bfd67669e92c1295016
                                                                                                        • Instruction Fuzzy Hash: C43141387096408F83A4DB298160729BBF2FBCA250319D5AEE4C6CF755EB24FC06A755
                                                                                                        Function 0343D006 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783236247.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_343d000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 76cb5818fe30996afedb73778c01e3f2c3e2afe00ba6a76a00a067166c1aa33b
                                                                                                        • Instruction ID: 55a2bf2c65bc43f3d685e5d0a723c32a22e4fda7be6b1c3bfc7d0847dc741a6e
                                                                                                        • Opcode Fuzzy Hash: 76cb5818fe30996afedb73778c01e3f2c3e2afe00ba6a76a00a067166c1aa33b
                                                                                                        • Instruction Fuzzy Hash: 0901217140D3C05FD7128B25C994B52BFB4DF47624F1D81DBD9848F293C2695845C772
                                                                                                        Function 0343D01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783236247.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_343d000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35bd435fa574c3806587dff7fa7ec1b6eb7bbdf1d304158d0b262862756b4e4f
                                                                                                        • Instruction ID: 2b73010c421fbf11fa785a07750a2f38c50b9217c490fcdbbb4c373dee9fe68f
                                                                                                        • Opcode Fuzzy Hash: 35bd435fa574c3806587dff7fa7ec1b6eb7bbdf1d304158d0b262862756b4e4f
                                                                                                        • Instruction Fuzzy Hash: 4901F7718083409AE710CA25CD84BA7FFA8DF4B728F1CC46BED185F246C6799842C6B5
                                                                                                        Function 04B488ED Relevance: .0, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1783418280.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_4b40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e379fcfc9ecf18625e16b171cf5471a75b93233e56e32c1aa56a716ba124ee9
                                                                                                        • Instruction ID: 0b38b663b2d6cd6222b71ddc9ff51e6b2adccb76f19377e7667737e951e7c64a
                                                                                                        • Opcode Fuzzy Hash: 6e379fcfc9ecf18625e16b171cf5471a75b93233e56e32c1aa56a716ba124ee9
                                                                                                        • Instruction Fuzzy Hash: C2F01C74A8070A8FDB04EBE4D595B6E7BB2AB85344F108858D1029F368DB78A9488BC0

                                                                                                        Non-executed Functions

                                                                                                        Function 07A71658 Relevance: 15.3, Strings: 12, Instructions: 260COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1787278321.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7a70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84Yk$84Yk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Qk$Qk
                                                                                                        • API String ID: 0-2102110628
                                                                                                        • Opcode ID: 248cbd8af602fef396a94dd6599ef6910a7349fc8fb9b451f62aa9dd89770c4b
                                                                                                        • Instruction ID: 2b668263988dc2868cd27fa099b28fc1f784a8512b94cba9b8dfaba157e92cbe
                                                                                                        • Opcode Fuzzy Hash: 248cbd8af602fef396a94dd6599ef6910a7349fc8fb9b451f62aa9dd89770c4b
                                                                                                        • Instruction Fuzzy Hash: 3B8145B17043498FC7148B69DC04A6ABBF6AFC6720F1884ABE455CF352CA31CC45CBA2
                                                                                                        Function 07A708B5 Relevance: 6.3, Strings: 5, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1787278321.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7a70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3272787073
                                                                                                        • Opcode ID: 836ad11ba168b61a5f34b8464517ea0709314ed047026a6b0bbe1d867a25fa0a
                                                                                                        • Instruction ID: a240a957f6dcfd5621543c60fc6ac252238303a1afe4116fe6d3bf0ca800247d
                                                                                                        • Opcode Fuzzy Hash: 836ad11ba168b61a5f34b8464517ea0709314ed047026a6b0bbe1d867a25fa0a
                                                                                                        • Instruction Fuzzy Hash: 2F3149B2B44306CFEF294B659C142ABFBB2EFC2211F24847BE4658A241DF36C495C741
                                                                                                        Function 07A70E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1787278321.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7a70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4Xk$4Xk$$^q$$^q$$^q
                                                                                                        • API String ID: 0-1137781394
                                                                                                        • Opcode ID: 1bfd7c36d6a79658a6a5b7fbf42869c71e929d05cb485cf7f9e46535a48cf113
                                                                                                        • Instruction ID: 042e877c855ff74d14ae67bc612c5a41175a26f441cb3d943f52cb235f1d4f57
                                                                                                        • Opcode Fuzzy Hash: 1bfd7c36d6a79658a6a5b7fbf42869c71e929d05cb485cf7f9e46535a48cf113
                                                                                                        • Instruction Fuzzy Hash: D0113AF231420A9BD7284B299C20A7BB6D68BD1650B14843ED516CB396DE76CC41C3B1
                                                                                                        Function 07A704D0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1787278321.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7a70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                        • API String ID: 0-2049395529
                                                                                                        • Opcode ID: 34d64cb86d61a1e5bcd8b97f720b318c2bbcee6757f48ec9cd24a5a49f04a046
                                                                                                        • Instruction ID: bd9d96ce8393b9105607223cd1cc40f4521d232ae4f63412e7bae4b89235b540
                                                                                                        • Opcode Fuzzy Hash: 34d64cb86d61a1e5bcd8b97f720b318c2bbcee6757f48ec9cd24a5a49f04a046
                                                                                                        • Instruction Fuzzy Hash: 1801D471A4D7954FC72B13281C205666FB25FC351035944ABC091CF3A7CD654C4AC3A3

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:3.4%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:1.7%
                                                                                                        Total number of Nodes:700
                                                                                                        Total number of Limit Nodes:1
                                                                                                        execution_graph 2489 7ff68c7b72c0 2490 7ff68c7b72e0 2489->2490 2491 7ff68c7b72d3 2489->2491 2493 7ff68c7b1e80 2491->2493 2494 7ff68c7b1e93 2493->2494 2496 7ff68c7b1eb7 2493->2496 2495 7ff68c7b1ed8 _invalid_parameter_noinfo_noreturn 2494->2495 2494->2496 2496->2490 2939 7ff68c7b2700 2940 7ff68c7b2710 2939->2940 2952 7ff68c7b2bd8 2940->2952 2942 7ff68c7b2ecc 7 API calls 2943 7ff68c7b27b5 2942->2943 2944 7ff68c7b2734 _RTC_Initialize 2950 7ff68c7b2797 2944->2950 2960 7ff68c7b2e64 InitializeSListHead 2944->2960 2950->2942 2951 7ff68c7b27a5 2950->2951 2953 7ff68c7b2be9 2952->2953 2957 7ff68c7b2c1b 2952->2957 2954 7ff68c7b2c58 2953->2954 2958 7ff68c7b2bee __scrt_release_startup_lock 2953->2958 2955 7ff68c7b2ecc 7 API calls 2954->2955 2956 7ff68c7b2c62 2955->2956 2957->2944 2958->2957 2959 7ff68c7b2c0b _initialize_onexit_table 2958->2959 2959->2957 2500 7ff68c7b1d39 2501 7ff68c7b1d40 2500->2501 2501->2501 2504 7ff68c7b18a0 2501->2504 2510 7ff68c7b2040 2501->2510 2503 7ff68c7b1d76 2505 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2503->2505 2504->2503 2506 7ff68c7b1dd0 2504->2506 2509 7ff68c7b20c0 21 API calls 2504->2509 2507 7ff68c7b1d87 2505->2507 2508 7ff68c7b1450 6 API calls 2506->2508 2508->2503 2509->2504 2511 7ff68c7b20a2 2510->2511 2514 7ff68c7b2063 BuildCatchObjectHelperInternal 2510->2514 2515 7ff68c7b2230 2511->2515 2513 7ff68c7b20b5 2513->2504 2514->2504 2516 7ff68c7b225e 2515->2516 2517 7ff68c7b23ab 2515->2517 2518 7ff68c7b22be 2516->2518 2521 7ff68c7b22b1 2516->2521 2522 7ff68c7b22e6 2516->2522 2519 7ff68c7b17e0 21 API calls 2517->2519 2523 7ff68c7b2690 5 API calls 2518->2523 2520 7ff68c7b23b0 2519->2520 2524 7ff68c7b1720 Concurrency::cancel_current_task 4 API calls 2520->2524 2521->2518 2521->2520 2525 7ff68c7b22cf BuildCatchObjectHelperInternal 2522->2525 2528 7ff68c7b2690 5 API calls 2522->2528 2523->2525 2526 7ff68c7b23b6 2524->2526 2527 7ff68c7b2364 _invalid_parameter_noinfo_noreturn 2525->2527 2529 7ff68c7b2357 BuildCatchObjectHelperInternal 2525->2529 2527->2529 2528->2525 2529->2513 2533 7ff68c7b733c _seh_filter_exe 2964 7ff68c7b3090 2965 7ff68c7b30c4 2964->2965 2966 7ff68c7b30a8 2964->2966 2966->2965 2971 7ff68c7b41c0 2966->2971 2970 7ff68c7b30e2 2972 7ff68c7b43d0 ExFilterRethrow 10 API calls 2971->2972 2973 7ff68c7b30d6 2972->2973 2974 7ff68c7b41d4 2973->2974 2975 7ff68c7b43d0 ExFilterRethrow 10 API calls 2974->2975 2976 7ff68c7b41dd 2975->2976 2976->2970 2534 7ff68c7b27d0 2538 7ff68c7b3074 SetUnhandledExceptionFilter 2534->2538 2539 7ff68c7b1550 2542 7ff68c7b3d50 2539->2542 2543 7ff68c7b3d5f free 2542->2543 2544 7ff68c7b1567 2542->2544 2543->2544 2980 7ff68c7b1590 2981 7ff68c7b3d50 __std_exception_destroy free 2980->2981 2982 7ff68c7b15b2 2981->2982 2983 7ff68c7b1510 2984 7ff68c7b3cc0 __std_exception_copy 2 API calls 2983->2984 2985 7ff68c7b1539 2984->2985 2989 7ff68c7b7090 2990 7ff68c7b70d2 __GSHandlerCheckCommon 2989->2990 2991 7ff68c7b70fa 2990->2991 2993 7ff68c7b3d78 2990->2993 2994 7ff68c7b3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2993->2994 2995 7ff68c7b3e99 2994->2995 2996 7ff68c7b3e64 RtlUnwindEx 2994->2996 2995->2991 2996->2994 3001 7ff68c7b7411 3002 7ff68c7b7495 3001->3002 3003 7ff68c7b7429 3001->3003 3003->3002 3004 7ff68c7b43d0 ExFilterRethrow 10 API calls 3003->3004 3005 7ff68c7b7476 3004->3005 3006 7ff68c7b43d0 ExFilterRethrow 10 API calls 3005->3006 3007 7ff68c7b748b terminate 3006->3007 3007->3002 2545 7ff68c7b48c7 abort 2549 7ff68c7b1ce0 2550 7ff68c7b2688 5 API calls 2549->2550 2551 7ff68c7b1cea gethostname 2550->2551 2552 7ff68c7b1d08 2551->2552 2553 7ff68c7b1da9 WSAGetLastError 2551->2553 2556 7ff68c7b2040 22 API calls 2552->2556 2554 7ff68c7b1450 6 API calls 2553->2554 2555 7ff68c7b1d76 2554->2555 2557 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2555->2557 2559 7ff68c7b18a0 2556->2559 2558 7ff68c7b1d87 2557->2558 2559->2555 2560 7ff68c7b1dd0 2559->2560 2562 7ff68c7b20c0 21 API calls 2559->2562 2561 7ff68c7b1450 6 API calls 2560->2561 2561->2555 2562->2559 2563 7ff68c7b5860 2592 7ff68c7b43d0 2563->2592 2565 7ff68c7b58ad 2566 7ff68c7b43d0 ExFilterRethrow 10 API calls 2565->2566 2567 7ff68c7b58bb __except_validate_context_record 2566->2567 2568 7ff68c7b43d0 ExFilterRethrow 10 API calls 2567->2568 2569 7ff68c7b5914 2568->2569 2570 7ff68c7b43d0 ExFilterRethrow 10 API calls 2569->2570 2571 7ff68c7b591d 2570->2571 2572 7ff68c7b43d0 ExFilterRethrow 10 API calls 2571->2572 2573 7ff68c7b5926 2572->2573 2595 7ff68c7b3b18 2573->2595 2576 7ff68c7b43d0 ExFilterRethrow 10 API calls 2577 7ff68c7b5959 2576->2577 2578 7ff68c7b5aa9 abort 2577->2578 2579 7ff68c7b5991 2577->2579 2602 7ff68c7b3b54 2579->2602 2581 7ff68c7b5a5a __GSHandlerCheck_EH 2582 7ff68c7b43d0 ExFilterRethrow 10 API calls 2581->2582 2583 7ff68c7b5a6d 2582->2583 2585 7ff68c7b43d0 ExFilterRethrow 10 API calls 2583->2585 2587 7ff68c7b5a76 2585->2587 2588 7ff68c7b43d0 ExFilterRethrow 10 API calls 2587->2588 2589 7ff68c7b5a7f 2588->2589 2590 7ff68c7b43d0 ExFilterRethrow 10 API calls 2589->2590 2591 7ff68c7b5a8e 2590->2591 2614 7ff68c7b43ec 2592->2614 2594 7ff68c7b43d9 2594->2565 2596 7ff68c7b43d0 ExFilterRethrow 10 API calls 2595->2596 2597 7ff68c7b3b29 2596->2597 2598 7ff68c7b3b34 2597->2598 2599 7ff68c7b43d0 ExFilterRethrow 10 API calls 2597->2599 2600 7ff68c7b43d0 ExFilterRethrow 10 API calls 2598->2600 2599->2598 2601 7ff68c7b3b45 2600->2601 2601->2576 2601->2577 2603 7ff68c7b43d0 ExFilterRethrow 10 API calls 2602->2603 2604 7ff68c7b3b66 2603->2604 2605 7ff68c7b3ba1 abort 2604->2605 2606 7ff68c7b43d0 ExFilterRethrow 10 API calls 2604->2606 2607 7ff68c7b3b71 2606->2607 2607->2605 2608 7ff68c7b3b8d 2607->2608 2609 7ff68c7b43d0 ExFilterRethrow 10 API calls 2608->2609 2610 7ff68c7b3b92 2609->2610 2610->2581 2611 7ff68c7b4104 2610->2611 2612 7ff68c7b43d0 ExFilterRethrow 10 API calls 2611->2612 2613 7ff68c7b4112 2612->2613 2613->2581 2615 7ff68c7b4404 2614->2615 2616 7ff68c7b440b GetLastError 2614->2616 2615->2594 2628 7ff68c7b6678 2616->2628 2629 7ff68c7b6498 __vcrt_FlsAlloc 5 API calls 2628->2629 2630 7ff68c7b669f TlsGetValue 2629->2630 2632 7ff68c7b7260 2633 7ff68c7b7280 2632->2633 2634 7ff68c7b7273 2632->2634 2635 7ff68c7b1e80 _invalid_parameter_noinfo_noreturn 2634->2635 2635->2633 2636 7ff68c7b195f 2637 7ff68c7b196d 2636->2637 2638 7ff68c7b1a23 2637->2638 2652 7ff68c7b1ee0 2637->2652 2640 7ff68c7b2230 22 API calls 2638->2640 2641 7ff68c7b1a67 BuildCatchObjectHelperInternal 2638->2641 2640->2641 2642 7ff68c7b1da2 _invalid_parameter_noinfo_noreturn 2641->2642 2644 7ff68c7b18a0 2641->2644 2643 7ff68c7b1da9 WSAGetLastError 2642->2643 2645 7ff68c7b1450 6 API calls 2643->2645 2646 7ff68c7b1d76 2644->2646 2648 7ff68c7b1dd0 2644->2648 2651 7ff68c7b20c0 21 API calls 2644->2651 2645->2646 2647 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2646->2647 2649 7ff68c7b1d87 2647->2649 2650 7ff68c7b1450 6 API calls 2648->2650 2650->2646 2651->2644 2656 7ff68c7b1f25 2652->2656 2665 7ff68c7b1f04 BuildCatchObjectHelperInternal 2652->2665 2653 7ff68c7b2031 2654 7ff68c7b17e0 21 API calls 2653->2654 2655 7ff68c7b2036 2654->2655 2660 7ff68c7b1720 Concurrency::cancel_current_task 4 API calls 2655->2660 2656->2653 2657 7ff68c7b1f74 2656->2657 2658 7ff68c7b1fa9 2656->2658 2657->2655 2659 7ff68c7b2690 5 API calls 2657->2659 2662 7ff68c7b2690 5 API calls 2658->2662 2664 7ff68c7b1f92 BuildCatchObjectHelperInternal 2658->2664 2659->2664 2663 7ff68c7b203c 2660->2663 2661 7ff68c7b202a _invalid_parameter_noinfo_noreturn 2661->2653 2662->2664 2664->2661 2664->2665 2665->2638 3011 7ff68c7b4024 3018 7ff68c7b642c 3011->3018 3017 7ff68c7b4031 3030 7ff68c7b6714 3018->3030 3021 7ff68c7b402d 3021->3017 3023 7ff68c7b44ac 3021->3023 3022 7ff68c7b6460 __vcrt_uninitialize_locks DeleteCriticalSection 3022->3021 3035 7ff68c7b65e8 3023->3035 3031 7ff68c7b6498 __vcrt_FlsAlloc 5 API calls 3030->3031 3032 7ff68c7b674a 3031->3032 3033 7ff68c7b675f InitializeCriticalSectionAndSpinCount 3032->3033 3034 7ff68c7b6444 3032->3034 3033->3034 3034->3021 3034->3022 3036 7ff68c7b6498 __vcrt_FlsAlloc 5 API calls 3035->3036 3038 7ff68c7b660d TlsAlloc 3036->3038 3039 7ff68c7b1b18 _time64 3040 7ff68c7b1b34 3039->3040 3040->3040 3041 7ff68c7b1ee0 22 API calls 3040->3041 3042 7ff68c7b1bf1 3040->3042 3041->3042 3043 7ff68c7b2230 22 API calls 3042->3043 3044 7ff68c7b1c34 BuildCatchObjectHelperInternal 3042->3044 3043->3044 3045 7ff68c7b1da2 _invalid_parameter_noinfo_noreturn 3044->3045 3046 7ff68c7b18a0 3044->3046 3047 7ff68c7b1da9 WSAGetLastError 3045->3047 3049 7ff68c7b1d76 3046->3049 3051 7ff68c7b1dd0 3046->3051 3054 7ff68c7b20c0 21 API calls 3046->3054 3048 7ff68c7b1450 6 API calls 3047->3048 3048->3049 3050 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 3049->3050 3052 7ff68c7b1d87 3050->3052 3053 7ff68c7b1450 6 API calls 3051->3053 3053->3049 3054->3046 2666 7ff68c7b7559 2669 7ff68c7b4158 2666->2669 2670 7ff68c7b4170 2669->2670 2671 7ff68c7b4182 2669->2671 2670->2671 2672 7ff68c7b4178 2670->2672 2673 7ff68c7b43d0 ExFilterRethrow 10 API calls 2671->2673 2675 7ff68c7b4180 2672->2675 2676 7ff68c7b43d0 ExFilterRethrow 10 API calls 2672->2676 2674 7ff68c7b4187 2673->2674 2674->2675 2677 7ff68c7b43d0 ExFilterRethrow 10 API calls 2674->2677 2678 7ff68c7b41a7 2676->2678 2677->2675 2679 7ff68c7b43d0 ExFilterRethrow 10 API calls 2678->2679 2680 7ff68c7b41b4 terminate 2679->2680 2681 7ff68c7b74d6 2682 7ff68c7b3b54 11 API calls 2681->2682 2685 7ff68c7b74e9 2682->2685 2683 7ff68c7b43d0 ExFilterRethrow 10 API calls 2684 7ff68c7b752e 2683->2684 2686 7ff68c7b43d0 ExFilterRethrow 10 API calls 2684->2686 2687 7ff68c7b4104 10 API calls 2685->2687 2689 7ff68c7b751a __GSHandlerCheck_EH 2685->2689 2688 7ff68c7b753b 2686->2688 2687->2689 2690 7ff68c7b43d0 ExFilterRethrow 10 API calls 2688->2690 2689->2683 2691 7ff68c7b7548 2690->2691 3055 7ff68c7b191a 3056 7ff68c7b194d 3055->3056 3060 7ff68c7b18a0 3055->3060 3057 7ff68c7b20c0 21 API calls 3056->3057 3057->3060 3058 7ff68c7b1d76 3059 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 3058->3059 3062 7ff68c7b1d87 3059->3062 3060->3058 3061 7ff68c7b1dd0 3060->3061 3064 7ff68c7b20c0 21 API calls 3060->3064 3063 7ff68c7b1450 6 API calls 3061->3063 3063->3058 3064->3060 3065 7ff68c7b291a 3066 7ff68c7b3020 __scrt_is_managed_app GetModuleHandleW 3065->3066 3067 7ff68c7b2921 3066->3067 3068 7ff68c7b2960 _exit 3067->3068 3069 7ff68c7b2925 3067->3069 2692 7ff68c7b2970 2695 7ff68c7b2da0 2692->2695 2696 7ff68c7b2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2695->2696 2697 7ff68c7b2979 2695->2697 2696->2697 3073 7ff68c7b43b0 3074 7ff68c7b43b9 3073->3074 3075 7ff68c7b43ca 3073->3075 3074->3075 3076 7ff68c7b43c5 free 3074->3076 3076->3075 3077 7ff68c7b7130 3078 7ff68c7b7168 __GSHandlerCheckCommon 3077->3078 3079 7ff68c7b7194 3078->3079 3081 7ff68c7b3c00 3078->3081 3082 7ff68c7b43d0 ExFilterRethrow 10 API calls 3081->3082 3083 7ff68c7b3c42 3082->3083 3084 7ff68c7b43d0 ExFilterRethrow 10 API calls 3083->3084 3085 7ff68c7b3c4f 3084->3085 3086 7ff68c7b43d0 ExFilterRethrow 10 API calls 3085->3086 3087 7ff68c7b3c58 __GSHandlerCheck_EH 3086->3087 3088 7ff68c7b5414 __GSHandlerCheck_EH 31 API calls 3087->3088 3089 7ff68c7b3ca9 3088->3089 3089->3079 2705 7ff68c7b756f 2706 7ff68c7b43d0 ExFilterRethrow 10 API calls 2705->2706 2707 7ff68c7b757d 2706->2707 2708 7ff68c7b7588 2707->2708 2709 7ff68c7b43d0 ExFilterRethrow 10 API calls 2707->2709 2709->2708 2710 7ff68c7b5f75 2718 7ff68c7b5e35 __GSHandlerCheck_EH 2710->2718 2711 7ff68c7b5f92 2712 7ff68c7b43d0 ExFilterRethrow 10 API calls 2711->2712 2713 7ff68c7b5f97 2712->2713 2714 7ff68c7b5fa2 2713->2714 2715 7ff68c7b43d0 ExFilterRethrow 10 API calls 2713->2715 2716 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2714->2716 2715->2714 2717 7ff68c7b5fb5 2716->2717 2718->2711 2720 7ff68c7b3bd0 2718->2720 2721 7ff68c7b43d0 ExFilterRethrow 10 API calls 2720->2721 2722 7ff68c7b3bde 2721->2722 2722->2718 2723 7ff68c7b7372 2724 7ff68c7b43d0 ExFilterRethrow 10 API calls 2723->2724 2725 7ff68c7b7389 2724->2725 2726 7ff68c7b43d0 ExFilterRethrow 10 API calls 2725->2726 2727 7ff68c7b73a4 2726->2727 2728 7ff68c7b43d0 ExFilterRethrow 10 API calls 2727->2728 2729 7ff68c7b73ad 2728->2729 2734 7ff68c7b5414 2729->2734 2732 7ff68c7b43d0 ExFilterRethrow 10 API calls 2733 7ff68c7b73f8 2732->2733 2735 7ff68c7b5443 __except_validate_context_record 2734->2735 2736 7ff68c7b43d0 ExFilterRethrow 10 API calls 2735->2736 2737 7ff68c7b5448 2736->2737 2738 7ff68c7b5498 2737->2738 2743 7ff68c7b55b2 __GSHandlerCheck_EH 2737->2743 2749 7ff68c7b5551 2737->2749 2740 7ff68c7b559f 2738->2740 2747 7ff68c7b54f3 __GSHandlerCheck_EH 2738->2747 2738->2749 2739 7ff68c7b55f7 2739->2749 2781 7ff68c7b49a4 2739->2781 2774 7ff68c7b3678 2740->2774 2743->2739 2743->2749 2778 7ff68c7b3bbc 2743->2778 2744 7ff68c7b56a2 abort 2746 7ff68c7b5543 2750 7ff68c7b5cf0 2746->2750 2747->2744 2747->2746 2749->2732 2834 7ff68c7b3ba8 2750->2834 2752 7ff68c7b5d40 __GSHandlerCheck_EH 2753 7ff68c7b5d72 2752->2753 2754 7ff68c7b5d5b 2752->2754 2756 7ff68c7b43d0 ExFilterRethrow 10 API calls 2753->2756 2755 7ff68c7b43d0 ExFilterRethrow 10 API calls 2754->2755 2757 7ff68c7b5d60 2755->2757 2758 7ff68c7b5d77 2756->2758 2759 7ff68c7b5fd0 abort 2757->2759 2760 7ff68c7b5d6a 2757->2760 2758->2760 2761 7ff68c7b43d0 ExFilterRethrow 10 API calls 2758->2761 2762 7ff68c7b43d0 ExFilterRethrow 10 API calls 2760->2762 2763 7ff68c7b5d82 2761->2763 2772 7ff68c7b5d96 __GSHandlerCheck_EH 2762->2772 2764 7ff68c7b43d0 ExFilterRethrow 10 API calls 2763->2764 2764->2760 2765 7ff68c7b5f92 2766 7ff68c7b43d0 ExFilterRethrow 10 API calls 2765->2766 2767 7ff68c7b5f97 2766->2767 2768 7ff68c7b5fa2 2767->2768 2769 7ff68c7b43d0 ExFilterRethrow 10 API calls 2767->2769 2770 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2768->2770 2769->2768 2771 7ff68c7b5fb5 2770->2771 2771->2749 2772->2765 2773 7ff68c7b3bd0 __GSHandlerCheck_EH 10 API calls 2772->2773 2773->2772 2775 7ff68c7b368a 2774->2775 2776 7ff68c7b5cf0 __GSHandlerCheck_EH 19 API calls 2775->2776 2777 7ff68c7b36a5 2776->2777 2777->2749 2779 7ff68c7b43d0 ExFilterRethrow 10 API calls 2778->2779 2780 7ff68c7b3bc5 2779->2780 2780->2739 2782 7ff68c7b4a01 __GSHandlerCheck_EH 2781->2782 2783 7ff68c7b4a20 2782->2783 2784 7ff68c7b4a09 2782->2784 2786 7ff68c7b43d0 ExFilterRethrow 10 API calls 2783->2786 2785 7ff68c7b43d0 ExFilterRethrow 10 API calls 2784->2785 2793 7ff68c7b4a0e 2785->2793 2787 7ff68c7b4a25 2786->2787 2789 7ff68c7b43d0 ExFilterRethrow 10 API calls 2787->2789 2787->2793 2788 7ff68c7b4e99 abort 2790 7ff68c7b4a30 2789->2790 2791 7ff68c7b43d0 ExFilterRethrow 10 API calls 2790->2791 2791->2793 2792 7ff68c7b4b54 __GSHandlerCheck_EH 2795 7ff68c7b4def 2792->2795 2828 7ff68c7b4b90 __GSHandlerCheck_EH 2792->2828 2793->2788 2793->2792 2794 7ff68c7b43d0 ExFilterRethrow 10 API calls 2793->2794 2798 7ff68c7b4ac0 2794->2798 2795->2788 2796 7ff68c7b4ded 2795->2796 2873 7ff68c7b4ea0 2795->2873 2797 7ff68c7b43d0 ExFilterRethrow 10 API calls 2796->2797 2800 7ff68c7b4e30 2797->2800 2802 7ff68c7b4e37 2798->2802 2804 7ff68c7b43d0 ExFilterRethrow 10 API calls 2798->2804 2800->2788 2800->2802 2801 7ff68c7b4dd4 __GSHandlerCheck_EH 2801->2796 2809 7ff68c7b4e81 2801->2809 2803 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2802->2803 2805 7ff68c7b4e43 2803->2805 2806 7ff68c7b4ad0 2804->2806 2805->2749 2807 7ff68c7b43d0 ExFilterRethrow 10 API calls 2806->2807 2808 7ff68c7b4ad9 2807->2808 2837 7ff68c7b3be8 2808->2837 2810 7ff68c7b43d0 ExFilterRethrow 10 API calls 2809->2810 2812 7ff68c7b4e86 2810->2812 2814 7ff68c7b43d0 ExFilterRethrow 10 API calls 2812->2814 2815 7ff68c7b4e8f terminate 2814->2815 2815->2788 2816 7ff68c7b43d0 ExFilterRethrow 10 API calls 2817 7ff68c7b4b16 2816->2817 2817->2792 2818 7ff68c7b43d0 ExFilterRethrow 10 API calls 2817->2818 2820 7ff68c7b4b22 2818->2820 2819 7ff68c7b3bbc 10 API calls BuildCatchObjectHelperInternal 2819->2828 2821 7ff68c7b43d0 ExFilterRethrow 10 API calls 2820->2821 2822 7ff68c7b4b2b 2821->2822 2840 7ff68c7b5fd8 2822->2840 2825 7ff68c7b4b3f 2847 7ff68c7b60c8 2825->2847 2828->2801 2828->2819 2851 7ff68c7b52d0 2828->2851 2865 7ff68c7b48d0 2828->2865 2829 7ff68c7b4e7b terminate 2829->2809 2831 7ff68c7b4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2831->2829 2832 7ff68c7b3f84 Concurrency::cancel_current_task 2 API calls 2831->2832 2833 7ff68c7b4e7a 2832->2833 2833->2829 2835 7ff68c7b43d0 ExFilterRethrow 10 API calls 2834->2835 2836 7ff68c7b3bb1 2835->2836 2836->2752 2838 7ff68c7b43d0 ExFilterRethrow 10 API calls 2837->2838 2839 7ff68c7b3bf6 2838->2839 2839->2788 2839->2816 2841 7ff68c7b60bf abort 2840->2841 2844 7ff68c7b6003 2840->2844 2842 7ff68c7b4b3b 2842->2792 2842->2825 2843 7ff68c7b3bbc 10 API calls BuildCatchObjectHelperInternal 2843->2844 2844->2842 2844->2843 2845 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2844->2845 2889 7ff68c7b5190 2844->2889 2845->2844 2848 7ff68c7b6135 2847->2848 2849 7ff68c7b60e5 Is_bad_exception_allowed 2847->2849 2848->2831 2849->2848 2850 7ff68c7b3ba8 10 API calls Is_bad_exception_allowed 2849->2850 2850->2849 2852 7ff68c7b538d 2851->2852 2853 7ff68c7b52fd 2851->2853 2852->2828 2854 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2853->2854 2855 7ff68c7b5306 2854->2855 2855->2852 2856 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2855->2856 2857 7ff68c7b531f 2855->2857 2856->2857 2857->2852 2858 7ff68c7b534c 2857->2858 2859 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2857->2859 2860 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2858->2860 2859->2858 2861 7ff68c7b5360 2860->2861 2861->2852 2862 7ff68c7b5379 2861->2862 2863 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2861->2863 2864 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2862->2864 2863->2862 2864->2852 2866 7ff68c7b490d __GSHandlerCheck_EH 2865->2866 2867 7ff68c7b4933 2866->2867 2903 7ff68c7b480c 2866->2903 2869 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2867->2869 2870 7ff68c7b4945 2869->2870 2912 7ff68c7b3838 RtlUnwindEx 2870->2912 2874 7ff68c7b4ef4 2873->2874 2875 7ff68c7b5169 2873->2875 2877 7ff68c7b43d0 ExFilterRethrow 10 API calls 2874->2877 2876 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2875->2876 2878 7ff68c7b5175 2876->2878 2879 7ff68c7b4ef9 2877->2879 2878->2796 2880 7ff68c7b4f0e EncodePointer 2879->2880 2881 7ff68c7b4f60 __GSHandlerCheck_EH 2879->2881 2882 7ff68c7b43d0 ExFilterRethrow 10 API calls 2880->2882 2881->2875 2883 7ff68c7b5189 abort 2881->2883 2886 7ff68c7b4f82 __GSHandlerCheck_EH 2881->2886 2884 7ff68c7b4f1e 2882->2884 2884->2881 2936 7ff68c7b34f8 2884->2936 2886->2875 2887 7ff68c7b3ba8 10 API calls Is_bad_exception_allowed 2886->2887 2888 7ff68c7b48d0 __GSHandlerCheck_EH 21 API calls 2886->2888 2887->2886 2888->2886 2890 7ff68c7b51bd 2889->2890 2901 7ff68c7b524c 2889->2901 2891 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2890->2891 2892 7ff68c7b51c6 2891->2892 2893 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2892->2893 2894 7ff68c7b51df 2892->2894 2892->2901 2893->2894 2895 7ff68c7b520b 2894->2895 2896 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2894->2896 2894->2901 2897 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2895->2897 2896->2895 2898 7ff68c7b521f 2897->2898 2899 7ff68c7b5238 2898->2899 2900 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2898->2900 2898->2901 2902 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2899->2902 2900->2899 2901->2844 2902->2901 2904 7ff68c7b482f 2903->2904 2915 7ff68c7b4608 2904->2915 2906 7ff68c7b4840 2907 7ff68c7b4881 __AdjustPointer 2906->2907 2908 7ff68c7b4845 __AdjustPointer 2906->2908 2909 7ff68c7b4864 BuildCatchObjectHelperInternal 2907->2909 2910 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2907->2910 2908->2909 2911 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2908->2911 2909->2867 2910->2909 2911->2909 2913 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2912->2913 2914 7ff68c7b394e 2913->2914 2914->2828 2916 7ff68c7b4635 2915->2916 2918 7ff68c7b463e 2915->2918 2917 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2916->2917 2917->2918 2919 7ff68c7b3ba8 Is_bad_exception_allowed 10 API calls 2918->2919 2920 7ff68c7b465d 2918->2920 2927 7ff68c7b46c2 __AdjustPointer BuildCatchObjectHelperInternal 2918->2927 2919->2920 2921 7ff68c7b46aa 2920->2921 2922 7ff68c7b46ca 2920->2922 2920->2927 2924 7ff68c7b47e9 abort abort 2921->2924 2921->2927 2923 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2922->2923 2926 7ff68c7b474a 2922->2926 2922->2927 2923->2926 2925 7ff68c7b480c 2924->2925 2928 7ff68c7b4608 BuildCatchObjectHelperInternal 10 API calls 2925->2928 2926->2927 2929 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2926->2929 2927->2906 2930 7ff68c7b4840 2928->2930 2929->2927 2931 7ff68c7b4881 __AdjustPointer 2930->2931 2932 7ff68c7b4845 __AdjustPointer 2930->2932 2933 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2931->2933 2935 7ff68c7b4864 BuildCatchObjectHelperInternal 2931->2935 2934 7ff68c7b3bbc BuildCatchObjectHelperInternal 10 API calls 2932->2934 2932->2935 2933->2935 2934->2935 2935->2906 2937 7ff68c7b43d0 ExFilterRethrow 10 API calls 2936->2937 2938 7ff68c7b3524 2937->2938 2938->2881 3090 7ff68c7b74a7 3093 7ff68c7b5cc0 3090->3093 3098 7ff68c7b5c38 3093->3098 3096 7ff68c7b43d0 ExFilterRethrow 10 API calls 3097 7ff68c7b5ce0 3096->3097 3099 7ff68c7b5ca3 3098->3099 3100 7ff68c7b5c5a 3098->3100 3099->3096 3099->3097 3100->3099 3101 7ff68c7b43d0 ExFilterRethrow 10 API calls 3100->3101 3101->3099 2243 7ff68c7b27ec 2266 7ff68c7b2b8c 2243->2266 2246 7ff68c7b2943 2306 7ff68c7b2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff68c7b280d 2249 7ff68c7b294d 2247->2249 2254 7ff68c7b282b __scrt_release_startup_lock 2247->2254 2250 7ff68c7b2ecc 7 API calls 2249->2250 2251 7ff68c7b2958 2250->2251 2253 7ff68c7b2960 _exit 2251->2253 2252 7ff68c7b2850 2254->2252 2255 7ff68c7b28d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2258 7ff68c7b28ce _register_thread_local_exe_atexit_callback 2254->2258 2272 7ff68c7b1060 2255->2272 2258->2255 2261 7ff68c7b2903 2262 7ff68c7b2908 _cexit 2261->2262 2263 7ff68c7b290d 2261->2263 2262->2263 2302 7ff68c7b2d20 2263->2302 2313 7ff68c7b316c 2266->2313 2269 7ff68c7b2805 2269->2246 2269->2247 2270 7ff68c7b2bbb __scrt_initialize_crt 2270->2269 2315 7ff68c7b404c 2270->2315 2273 7ff68c7b1386 2272->2273 2297 7ff68c7b10b4 2272->2297 2342 7ff68c7b1450 __acrt_iob_func 2273->2342 2275 7ff68c7b1399 2300 7ff68c7b3020 GetModuleHandleW 2275->2300 2276 7ff68c7b1289 2276->2273 2277 7ff68c7b129f 2276->2277 2347 7ff68c7b2688 2277->2347 2279 7ff68c7b1125 strcmp 2279->2297 2280 7ff68c7b12a9 2281 7ff68c7b12b9 GetTempPathA 2280->2281 2282 7ff68c7b1325 2280->2282 2285 7ff68c7b12e9 strcat_s 2281->2285 2286 7ff68c7b12cb GetLastError 2281->2286 2356 7ff68c7b23c0 2282->2356 2283 7ff68c7b1151 strcmp 2283->2297 2285->2282 2289 7ff68c7b1304 2285->2289 2288 7ff68c7b1450 6 API calls 2286->2288 2292 7ff68c7b12df GetLastError 2288->2292 2293 7ff68c7b1450 6 API calls 2289->2293 2290 7ff68c7b1344 __acrt_iob_func fflush __acrt_iob_func fflush 2296 7ff68c7b1312 2290->2296 2291 7ff68c7b117d strcmp 2291->2297 2292->2296 2293->2296 2296->2275 2297->2276 2297->2279 2297->2283 2297->2291 2298 7ff68c7b1226 strcmp 2297->2298 2298->2297 2299 7ff68c7b1239 atoi 2298->2299 2299->2297 2301 7ff68c7b28ff 2300->2301 2301->2251 2301->2261 2304 7ff68c7b2d31 __scrt_initialize_crt 2302->2304 2303 7ff68c7b2916 2303->2252 2304->2303 2305 7ff68c7b404c __scrt_initialize_crt 7 API calls 2304->2305 2305->2303 2307 7ff68c7b2ef2 2306->2307 2308 7ff68c7b2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff68c7b2f3a RtlVirtualUnwind 2308->2309 2310 7ff68c7b2f76 2308->2310 2309->2310 2311 7ff68c7b2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff68c7b2ffa 2311->2312 2312->2249 2314 7ff68c7b2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff68c7b405e 2315->2316 2317 7ff68c7b4054 2315->2317 2316->2269 2321 7ff68c7b44f4 2317->2321 2322 7ff68c7b4059 2321->2322 2323 7ff68c7b4503 2321->2323 2325 7ff68c7b6460 2322->2325 2329 7ff68c7b6630 2323->2329 2326 7ff68c7b648b 2325->2326 2327 7ff68c7b646e DeleteCriticalSection 2326->2327 2328 7ff68c7b648f 2326->2328 2327->2326 2328->2316 2333 7ff68c7b6498 2329->2333 2334 7ff68c7b65b2 TlsFree 2333->2334 2339 7ff68c7b64dc 2333->2339 2335 7ff68c7b650a LoadLibraryExW 2337 7ff68c7b6581 2335->2337 2338 7ff68c7b652b GetLastError 2335->2338 2336 7ff68c7b65a1 GetProcAddress 2336->2334 2337->2336 2340 7ff68c7b6598 FreeLibrary 2337->2340 2338->2339 2339->2334 2339->2335 2339->2336 2341 7ff68c7b654d LoadLibraryExW 2339->2341 2340->2336 2341->2337 2341->2339 2392 7ff68c7b1010 2342->2392 2344 7ff68c7b148a __acrt_iob_func 2395 7ff68c7b1000 2344->2395 2346 7ff68c7b14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff68c7b2690 2347->2350 2348 7ff68c7b26aa malloc 2349 7ff68c7b26b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff68c7b26ba 2350->2351 2354 7ff68c7b26c5 2351->2354 2397 7ff68c7b2b30 2351->2397 2401 7ff68c7b1720 2354->2401 2355 7ff68c7b26cb 2355->2280 2357 7ff68c7b2688 5 API calls 2356->2357 2358 7ff68c7b23f5 OpenProcess 2357->2358 2359 7ff68c7b2458 K32GetModuleBaseNameA 2358->2359 2360 7ff68c7b243b GetLastError 2358->2360 2362 7ff68c7b2470 GetLastError 2359->2362 2363 7ff68c7b2492 2359->2363 2361 7ff68c7b1450 6 API calls 2360->2361 2371 7ff68c7b2453 2361->2371 2364 7ff68c7b1450 6 API calls 2362->2364 2418 7ff68c7b1800 2363->2418 2366 7ff68c7b2484 CloseHandle 2364->2366 2366->2371 2368 7ff68c7b24ae 2372 7ff68c7b13c0 6 API calls 2368->2372 2369 7ff68c7b25b3 CloseHandle 2369->2371 2370 7ff68c7b25fa 2429 7ff68c7b2660 2370->2429 2371->2370 2373 7ff68c7b25f3 _invalid_parameter_noinfo_noreturn 2371->2373 2374 7ff68c7b24cf CreateFileA 2372->2374 2373->2370 2376 7ff68c7b250f GetLastError 2374->2376 2377 7ff68c7b2543 2374->2377 2378 7ff68c7b1450 6 API calls 2376->2378 2379 7ff68c7b2550 MiniDumpWriteDump 2377->2379 2383 7ff68c7b258a CloseHandle CloseHandle 2377->2383 2381 7ff68c7b2538 CloseHandle 2378->2381 2382 7ff68c7b2576 GetLastError 2379->2382 2379->2383 2381->2371 2382->2377 2384 7ff68c7b258c 2382->2384 2383->2371 2386 7ff68c7b1450 6 API calls 2384->2386 2386->2383 2387 7ff68c7b13c0 __acrt_iob_func 2388 7ff68c7b1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff68c7b13fa __acrt_iob_func 2388->2389 2488 7ff68c7b1000 2389->2488 2391 7ff68c7b1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2290 2396 7ff68c7b1000 2392->2396 2394 7ff68c7b1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff68c7b2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff68c7b3f84 2398->2407 2400 7ff68c7b2b4f 2402 7ff68c7b172e Concurrency::cancel_current_task 2401->2402 2403 7ff68c7b3f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff68c7b173f 2403->2404 2412 7ff68c7b3cc0 2404->2412 2408 7ff68c7b3fc0 RtlPcToFileHeader 2407->2408 2409 7ff68c7b3fa3 2407->2409 2410 7ff68c7b3fd8 2408->2410 2411 7ff68c7b3fe7 RaiseException 2408->2411 2409->2408 2410->2411 2411->2400 2413 7ff68c7b176d 2412->2413 2414 7ff68c7b3ce1 2412->2414 2413->2355 2414->2413 2415 7ff68c7b3cf6 malloc 2414->2415 2416 7ff68c7b3d23 free 2415->2416 2417 7ff68c7b3d07 2415->2417 2416->2413 2417->2416 2419 7ff68c7b1850 2418->2419 2420 7ff68c7b1863 WSAStartup 2418->2420 2421 7ff68c7b1450 6 API calls 2419->2421 2422 7ff68c7b185c 2420->2422 2427 7ff68c7b187f 2420->2427 2421->2422 2423 7ff68c7b2660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff68c7b1d87 2423->2424 2424->2368 2424->2369 2425 7ff68c7b1dd0 2426 7ff68c7b1450 6 API calls 2425->2426 2426->2422 2427->2422 2427->2425 2438 7ff68c7b20c0 2427->2438 2430 7ff68c7b2669 2429->2430 2431 7ff68c7b1334 2430->2431 2432 7ff68c7b29c0 IsProcessorFeaturePresent 2430->2432 2431->2290 2431->2387 2433 7ff68c7b29d8 2432->2433 2483 7ff68c7b2a94 RtlCaptureContext 2433->2483 2439 7ff68c7b2218 2438->2439 2440 7ff68c7b20e9 2438->2440 2462 7ff68c7b17e0 2439->2462 2442 7ff68c7b2144 2440->2442 2444 7ff68c7b2137 2440->2444 2445 7ff68c7b216c 2440->2445 2453 7ff68c7b2690 2442->2453 2443 7ff68c7b221d 2447 7ff68c7b1720 Concurrency::cancel_current_task 4 API calls 2443->2447 2444->2442 2444->2443 2448 7ff68c7b2690 5 API calls 2445->2448 2451 7ff68c7b2155 BuildCatchObjectHelperInternal 2445->2451 2449 7ff68c7b2223 2447->2449 2448->2451 2450 7ff68c7b21e0 _invalid_parameter_noinfo_noreturn 2452 7ff68c7b21d3 BuildCatchObjectHelperInternal 2450->2452 2451->2450 2451->2452 2452->2427 2454 7ff68c7b26aa malloc 2453->2454 2455 7ff68c7b26b4 2454->2455 2456 7ff68c7b269b 2454->2456 2455->2451 2456->2454 2457 7ff68c7b26ba 2456->2457 2458 7ff68c7b26c5 2457->2458 2459 7ff68c7b2b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff68c7b1720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff68c7b26cb 2460->2461 2461->2451 2475 7ff68c7b34d4 2462->2475 2480 7ff68c7b33f8 2475->2480 2478 7ff68c7b3f84 Concurrency::cancel_current_task 2 API calls 2479 7ff68c7b34f6 2478->2479 2481 7ff68c7b3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff68c7b342c 2481->2482 2482->2478 2484 7ff68c7b2aae RtlLookupFunctionEntry 2483->2484 2485 7ff68c7b2ac4 RtlVirtualUnwind 2484->2485 2486 7ff68c7b29eb 2484->2486 2485->2484 2485->2486 2487 7ff68c7b2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391 3102 7ff68c7b59ad 3103 7ff68c7b43d0 ExFilterRethrow 10 API calls 3102->3103 3104 7ff68c7b59ba 3103->3104 3105 7ff68c7b43d0 ExFilterRethrow 10 API calls 3104->3105 3107 7ff68c7b59c3 __GSHandlerCheck_EH 3105->3107 3106 7ff68c7b5a0a RaiseException 3108 7ff68c7b5a29 3106->3108 3107->3106 3109 7ff68c7b3b54 11 API calls 3108->3109 3113 7ff68c7b5a31 3109->3113 3110 7ff68c7b5a5a __GSHandlerCheck_EH 3111 7ff68c7b43d0 ExFilterRethrow 10 API calls 3110->3111 3112 7ff68c7b5a6d 3111->3112 3114 7ff68c7b43d0 ExFilterRethrow 10 API calls 3112->3114 3113->3110 3115 7ff68c7b4104 10 API calls 3113->3115 3116 7ff68c7b5a76 3114->3116 3115->3110 3117 7ff68c7b43d0 ExFilterRethrow 10 API calls 3116->3117 3118 7ff68c7b5a7f 3117->3118 3119 7ff68c7b43d0 ExFilterRethrow 10 API calls 3118->3119 3120 7ff68c7b5a8e 3119->3120

                                                                                                        Executed Functions

                                                                                                        Function 00007FF68C7B1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 7ff68c7b1060-7ff68c7b10ae 1 7ff68c7b10b4-7ff68c7b10c6 0->1 2 7ff68c7b1386-7ff68c7b1394 call 7ff68c7b1450 0->2 3 7ff68c7b10d0-7ff68c7b10d6 1->3 5 7ff68c7b1399 2->5 6 7ff68c7b127f-7ff68c7b1283 3->6 7 7ff68c7b10dc-7ff68c7b10df 3->7 8 7ff68c7b139e-7ff68c7b13b7 5->8 6->3 9 7ff68c7b1289-7ff68c7b1299 6->9 10 7ff68c7b10e1-7ff68c7b10e5 7->10 11 7ff68c7b10ed 7->11 9->2 12 7ff68c7b129f-7ff68c7b12b7 call 7ff68c7b2688 9->12 10->11 13 7ff68c7b10e7-7ff68c7b10eb 10->13 14 7ff68c7b10f0-7ff68c7b10fc 11->14 26 7ff68c7b12b9-7ff68c7b12c9 GetTempPathA 12->26 27 7ff68c7b132a-7ff68c7b1336 call 7ff68c7b23c0 12->27 13->11 16 7ff68c7b1104-7ff68c7b110b 13->16 17 7ff68c7b1110-7ff68c7b1113 14->17 18 7ff68c7b10fe-7ff68c7b1102 14->18 22 7ff68c7b127b 16->22 19 7ff68c7b1125-7ff68c7b1136 strcmp 17->19 20 7ff68c7b1115-7ff68c7b1119 17->20 18->14 18->16 24 7ff68c7b1267-7ff68c7b126e 19->24 25 7ff68c7b113c-7ff68c7b113f 19->25 20->19 23 7ff68c7b111b-7ff68c7b111f 20->23 22->6 23->19 23->24 28 7ff68c7b1276 24->28 29 7ff68c7b1151-7ff68c7b1162 strcmp 25->29 30 7ff68c7b1141-7ff68c7b1145 25->30 32 7ff68c7b12e9-7ff68c7b1302 strcat_s 26->32 33 7ff68c7b12cb-7ff68c7b12e7 GetLastError call 7ff68c7b1450 GetLastError 26->33 41 7ff68c7b1338-7ff68c7b1344 call 7ff68c7b13c0 27->41 42 7ff68c7b1346 27->42 28->22 36 7ff68c7b1258-7ff68c7b1265 29->36 37 7ff68c7b1168-7ff68c7b116b 29->37 30->29 34 7ff68c7b1147-7ff68c7b114b 30->34 39 7ff68c7b1304-7ff68c7b1312 call 7ff68c7b1450 32->39 40 7ff68c7b1325 32->40 52 7ff68c7b1313-7ff68c7b1323 call 7ff68c7b2680 33->52 34->29 34->36 36->22 43 7ff68c7b117d-7ff68c7b118e strcmp 37->43 44 7ff68c7b116d-7ff68c7b1171 37->44 39->52 40->27 49 7ff68c7b134b-7ff68c7b1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff68c7b2680 41->49 42->49 50 7ff68c7b1194-7ff68c7b1197 43->50 51 7ff68c7b1247-7ff68c7b1256 43->51 44->43 48 7ff68c7b1173-7ff68c7b1177 44->48 48->43 48->51 49->8 57 7ff68c7b11a5-7ff68c7b11af 50->57 58 7ff68c7b1199-7ff68c7b119d 50->58 51->28 52->8 62 7ff68c7b11b0-7ff68c7b11bb 57->62 58->57 61 7ff68c7b119f-7ff68c7b11a3 58->61 61->57 65 7ff68c7b11c3-7ff68c7b11d2 61->65 63 7ff68c7b11d7-7ff68c7b11da 62->63 64 7ff68c7b11bd-7ff68c7b11c1 62->64 66 7ff68c7b11ec-7ff68c7b11f6 63->66 67 7ff68c7b11dc-7ff68c7b11e0 63->67 64->62 64->65 65->28 69 7ff68c7b1200-7ff68c7b120b 66->69 67->66 68 7ff68c7b11e2-7ff68c7b11e6 67->68 68->22 68->66 70 7ff68c7b1215-7ff68c7b1218 69->70 71 7ff68c7b120d-7ff68c7b1211 69->71 73 7ff68c7b1226-7ff68c7b1237 strcmp 70->73 74 7ff68c7b121a-7ff68c7b121e 70->74 71->69 72 7ff68c7b1213 71->72 72->22 73->22 76 7ff68c7b1239-7ff68c7b1245 atoi 73->76 74->73 75 7ff68c7b1220-7ff68c7b1224 74->75 75->22 75->73 76->22
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                                                        • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                                                        • API String ID: 2647627392-2367407095
                                                                                                        • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                                        • Instruction ID: a7c35a0221c3a1f6bb6c36d80a01440e2fe8c8d27aafe68f8de1e49d38092b34
                                                                                                        • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                                        • Instruction Fuzzy Hash: 2DA16F62E0CB86D6FB618F20A8442B967F4FF46794F48817DDA9EC6695DE3CE844C310
                                                                                                        Function 00007FF68C7B27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                                        • String ID:
                                                                                                        • API String ID: 2308368977-0
                                                                                                        • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                                        • Instruction ID: e8cd39c9764ff88b395ff1e2876450bda771e090433473dc3f7a03be2cfaecac
                                                                                                        • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                                        • Instruction Fuzzy Hash: 84316A21E0E607C2FA14AB22E4653BA2691BF45784F84543DEA0DCB2E7DE2DF885C350
                                                                                                        Function 00007FF68C7B1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                                        • String ID: [createdump]
                                                                                                        • API String ID: 3735572767-2657508301
                                                                                                        • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                                        • Instruction ID: 5764e6e634a7381a6f2cc3e970e1894216d0a665710654f40b894110294cffc5
                                                                                                        • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                                        • Instruction Fuzzy Hash: 6C01FB25A08F81C2F6009B51F8191AAA364FF85BD1F008539EA8D83B66DF3CD555C700

                                                                                                        Non-executed Functions

                                                                                                        Function 00007FF68C7B2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 3140674995-0
                                                                                                        • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                                        • Instruction ID: 7e7a687515fb331a70e9d1622eeabab7dfe45758761f1d1d1c9e9a27ab04b5e7
                                                                                                        • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                                        • Instruction Fuzzy Hash: 84313972609A81CAEB609F64E8403EE7365FF84744F44843ADA4E87B98EF38D648C710
                                                                                                        Function 00007FF68C7B3074 Relevance: .0, Instructions: 2COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                                        • Instruction ID: 1774aa43440c4f7ff61386fd9a053c6800cb0266c937ee9b2f3592e62aea1b15
                                                                                                        • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                                        • Instruction Fuzzy Hash: C0A0022190CC02D0F6448B18EC542312331FF50340B400539D40DC14A0DF3CE484C300
                                                                                                        Function 00007FF68C7B23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B242D
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B243B
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1475
                                                                                                          • Part of subcall function 00007FF68C7B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF68C7B1485
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1494
                                                                                                          • Part of subcall function 00007FF68C7B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14B3
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14BE
                                                                                                          • Part of subcall function 00007FF68C7B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14C7
                                                                                                        • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B2466
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B2470
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B2487
                                                                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C7B25F3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                                                        • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                                                        • API String ID: 3971781330-1292085346
                                                                                                        • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                                        • Instruction ID: d84b1a3aa94189ad0ead8e55971b08ee31b7c20b2b44e4daf28020abf0999d3e
                                                                                                        • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                                        • Instruction Fuzzy Hash: 2B615031A0DA42C2EA209B16E95467A77A1FF857D4F504139EEAE83AA5DF3CE445C700
                                                                                                        Function 00007FF68C7B49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 177 7ff68c7b49a4-7ff68c7b4a07 call 7ff68c7b4518 180 7ff68c7b4a20-7ff68c7b4a29 call 7ff68c7b43d0 177->180 181 7ff68c7b4a09-7ff68c7b4a12 call 7ff68c7b43d0 177->181 188 7ff68c7b4a3f-7ff68c7b4a42 180->188 189 7ff68c7b4a2b-7ff68c7b4a38 call 7ff68c7b43d0 * 2 180->189 186 7ff68c7b4a18-7ff68c7b4a1e 181->186 187 7ff68c7b4e99-7ff68c7b4e9f abort 181->187 186->188 188->187 190 7ff68c7b4a48-7ff68c7b4a54 188->190 189->188 192 7ff68c7b4a7f 190->192 193 7ff68c7b4a56-7ff68c7b4a7d 190->193 195 7ff68c7b4a81-7ff68c7b4a83 192->195 193->195 195->187 198 7ff68c7b4a89-7ff68c7b4a8f 195->198 199 7ff68c7b4a95-7ff68c7b4a99 198->199 200 7ff68c7b4b59-7ff68c7b4b6f call 7ff68c7b5724 198->200 199->200 202 7ff68c7b4a9f-7ff68c7b4aaa 199->202 205 7ff68c7b4def-7ff68c7b4df3 200->205 206 7ff68c7b4b75-7ff68c7b4b79 200->206 202->200 204 7ff68c7b4ab0-7ff68c7b4ab5 202->204 204->200 207 7ff68c7b4abb-7ff68c7b4ac5 call 7ff68c7b43d0 204->207 210 7ff68c7b4df5-7ff68c7b4dfc 205->210 211 7ff68c7b4e2b-7ff68c7b4e35 call 7ff68c7b43d0 205->211 206->205 208 7ff68c7b4b7f-7ff68c7b4b8a 206->208 220 7ff68c7b4e37-7ff68c7b4e56 call 7ff68c7b2660 207->220 221 7ff68c7b4acb-7ff68c7b4af1 call 7ff68c7b43d0 * 2 call 7ff68c7b3be8 207->221 208->205 214 7ff68c7b4b90-7ff68c7b4b94 208->214 210->187 212 7ff68c7b4e02-7ff68c7b4e26 call 7ff68c7b4ea0 210->212 211->187 211->220 212->211 218 7ff68c7b4dd4-7ff68c7b4dd8 214->218 219 7ff68c7b4b9a-7ff68c7b4bd1 call 7ff68c7b36d0 214->219 218->211 223 7ff68c7b4dda-7ff68c7b4de7 call 7ff68c7b3670 218->223 219->218 232 7ff68c7b4bd7-7ff68c7b4be2 219->232 246 7ff68c7b4b11-7ff68c7b4b1b call 7ff68c7b43d0 221->246 247 7ff68c7b4af3-7ff68c7b4af7 221->247 235 7ff68c7b4e81-7ff68c7b4e98 call 7ff68c7b43d0 * 2 terminate 223->235 236 7ff68c7b4ded 223->236 233 7ff68c7b4be6-7ff68c7b4bf6 232->233 237 7ff68c7b4d2f-7ff68c7b4dce 233->237 238 7ff68c7b4bfc-7ff68c7b4c02 233->238 235->187 236->211 237->218 237->233 238->237 241 7ff68c7b4c08-7ff68c7b4c31 call 7ff68c7b56a8 238->241 241->237 252 7ff68c7b4c37-7ff68c7b4c7e call 7ff68c7b3bbc * 2 241->252 246->200 256 7ff68c7b4b1d-7ff68c7b4b3d call 7ff68c7b43d0 * 2 call 7ff68c7b5fd8 246->256 247->246 250 7ff68c7b4af9-7ff68c7b4b04 247->250 250->246 253 7ff68c7b4b06-7ff68c7b4b0b 250->253 263 7ff68c7b4c80-7ff68c7b4ca5 call 7ff68c7b3bbc call 7ff68c7b52d0 252->263 264 7ff68c7b4cba-7ff68c7b4cd0 call 7ff68c7b5ab0 252->264 253->187 253->246 272 7ff68c7b4b3f-7ff68c7b4b49 call 7ff68c7b60c8 256->272 273 7ff68c7b4b54 256->273 280 7ff68c7b4cd7-7ff68c7b4d26 call 7ff68c7b48d0 263->280 281 7ff68c7b4ca7-7ff68c7b4cb3 263->281 274 7ff68c7b4cd2 264->274 275 7ff68c7b4d2b 264->275 283 7ff68c7b4b4f-7ff68c7b4e7a call 7ff68c7b4090 call 7ff68c7b5838 call 7ff68c7b3f84 272->283 284 7ff68c7b4e7b-7ff68c7b4e80 terminate 272->284 273->200 274->252 275->237 280->275 281->263 282 7ff68c7b4cb5 281->282 282->264 283->284 284->235
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                        • String ID: csm$csm$csm
                                                                                                        • API String ID: 695522112-393685449
                                                                                                        • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                                        • Instruction ID: 4a07c8fb64e952253da24860da8c7ff9729cab500acf226421ff506f74584204
                                                                                                        • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                                        • Instruction Fuzzy Hash: 54E19C73A08A86CAEB609F25D4813AD7BB4FF44B58F144139EA8D97796DF38E485C700
                                                                                                        Function 00007FF68C7B13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                                        • String ID: [createdump]
                                                                                                        • API String ID: 3735572767-2657508301
                                                                                                        • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                                        • Instruction ID: af1800a8bf2486f834b75b65ce00009817acfed94cad0ca43c166b8048af9f53
                                                                                                        • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                                        • Instruction Fuzzy Hash: 3C01FB35A08F81C2F7009B51F8141AAA364FF85BD1F008539EA8D83B66DF7CD595C740
                                                                                                        Function 00007FF68C7B1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • WSAStartup.WS2_32 ref: 00007FF68C7B186C
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1475
                                                                                                          • Part of subcall function 00007FF68C7B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF68C7B1485
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1494
                                                                                                          • Part of subcall function 00007FF68C7B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14B3
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14BE
                                                                                                          • Part of subcall function 00007FF68C7B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14C7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                                                        • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                                                        • API String ID: 3378602911-3973674938
                                                                                                        • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                                        • Instruction ID: c394eb0771b910e959f0ea35dee484f64734a7614ffe7cd6480f3f7976d3b8a9
                                                                                                        • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                                        • Instruction Fuzzy Hash: 2131D062E08AC1C7EB598F56E8657F927A2BF46784F84403AEE5D87391CE3CE145C700
                                                                                                        Function 00007FF68C7B6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF68C7B669F,?,?,?,00007FF68C7B441E,?,?,?,00007FF68C7B43D9), ref: 00007FF68C7B651D
                                                                                                        • GetLastError.KERNEL32(?,00000000,00007FF68C7B669F,?,?,?,00007FF68C7B441E,?,?,?,00007FF68C7B43D9,?,?,?,?,00007FF68C7B3524), ref: 00007FF68C7B652B
                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00007FF68C7B669F,?,?,?,00007FF68C7B441E,?,?,?,00007FF68C7B43D9,?,?,?,?,00007FF68C7B3524), ref: 00007FF68C7B6555
                                                                                                        • FreeLibrary.KERNEL32(?,00000000,00007FF68C7B669F,?,?,?,00007FF68C7B441E,?,?,?,00007FF68C7B43D9,?,?,?,?,00007FF68C7B3524), ref: 00007FF68C7B659B
                                                                                                        • GetProcAddress.KERNEL32(?,00000000,00007FF68C7B669F,?,?,?,00007FF68C7B441E,?,?,?,00007FF68C7B43D9,?,?,?,?,00007FF68C7B3524), ref: 00007FF68C7B65A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                        • String ID: api-ms-
                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                        • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                                        • Instruction ID: 4e29e4c7dd646d133f43887bf8fc44db752ff689d51894ba38b6d8e530518e9b
                                                                                                        • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                                        • Instruction Fuzzy Hash: F2319021B1AA46D1FE29EB12A90057923D4FF48BA0F59463DDE2D8B798EF3CE455C310
                                                                                                        Function 00007FF68C7B1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 360 7ff68c7b1b18-7ff68c7b1b32 _time64 361 7ff68c7b1b80-7ff68c7b1ba8 360->361 362 7ff68c7b1b34-7ff68c7b1b37 360->362 361->361 364 7ff68c7b1baa-7ff68c7b1bd8 361->364 363 7ff68c7b1b40-7ff68c7b1b68 362->363 363->363 365 7ff68c7b1b6a-7ff68c7b1b71 363->365 366 7ff68c7b1bfa-7ff68c7b1c32 364->366 367 7ff68c7b1bda-7ff68c7b1bf5 call 7ff68c7b1ee0 364->367 365->364 369 7ff68c7b1c64-7ff68c7b1c78 call 7ff68c7b2230 366->369 370 7ff68c7b1c34-7ff68c7b1c43 366->370 367->366 378 7ff68c7b1c7d-7ff68c7b1c88 369->378 372 7ff68c7b1c45 370->372 373 7ff68c7b1c48-7ff68c7b1c62 call 7ff68c7b68c0 370->373 372->373 373->378 379 7ff68c7b1c8a-7ff68c7b1c98 378->379 380 7ff68c7b1cbb-7ff68c7b1cde 378->380 382 7ff68c7b1cb3-7ff68c7b1cb6 call 7ff68c7b2680 379->382 383 7ff68c7b1c9a-7ff68c7b1cad 379->383 381 7ff68c7b1d55-7ff68c7b1d70 380->381 387 7ff68c7b18a0-7ff68c7b18a3 381->387 388 7ff68c7b1d76 381->388 382->380 383->382 385 7ff68c7b1da2-7ff68c7b1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff68c7b1450 call 7ff68c7b2680 383->385 390 7ff68c7b1d78-7ff68c7b1da1 call 7ff68c7b2660 385->390 392 7ff68c7b18a5-7ff68c7b18b7 387->392 393 7ff68c7b18f3-7ff68c7b18fe 387->393 388->390 396 7ff68c7b18e2-7ff68c7b18ee call 7ff68c7b20c0 392->396 397 7ff68c7b18b9-7ff68c7b18c8 392->397 398 7ff68c7b1dd0-7ff68c7b1dde call 7ff68c7b1450 393->398 399 7ff68c7b1904-7ff68c7b1915 393->399 396->381 403 7ff68c7b18cd-7ff68c7b18dd 397->403 404 7ff68c7b18ca 397->404 398->390 399->381 403->381 404->403
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _time64
                                                                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                        • API String ID: 1670930206-4114407318
                                                                                                        • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                                        • Instruction ID: a668369b82a9398d8f3d1a2ddcb289fac554a86a86b6b5b26f964eea0a22fd64
                                                                                                        • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                                        • Instruction Fuzzy Hash: E051B062A18B8187EB04CF29E4943AA67A5FF817D4F40013AEA9D57BA9DF3CE041D740
                                                                                                        Function 00007FF68C7B4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EncodePointerabort
                                                                                                        • String ID: MOC$RCC
                                                                                                        • API String ID: 1188231555-2084237596
                                                                                                        • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                                        • Instruction ID: 9822e0bfaa6f3cf32d103f96159db2e5166075f80b8fbfd65497db39eaa6f33c
                                                                                                        • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                                        • Instruction Fuzzy Hash: 84918D73A08B86CAE751CF65E8802AD7BB0FB45788F14412AEE8D97B55DF38D195CB00
                                                                                                        Function 00007FF68C7B5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 459 7ff68c7b5414-7ff68c7b5461 call 7ff68c7b63f4 call 7ff68c7b43d0 464 7ff68c7b548e-7ff68c7b5492 459->464 465 7ff68c7b5463-7ff68c7b5469 459->465 467 7ff68c7b55b2-7ff68c7b55c7 call 7ff68c7b5724 464->467 468 7ff68c7b5498-7ff68c7b549b 464->468 465->464 466 7ff68c7b546b-7ff68c7b546e 465->466 469 7ff68c7b5480-7ff68c7b5483 466->469 470 7ff68c7b5470-7ff68c7b5474 466->470 479 7ff68c7b55d2-7ff68c7b55d8 467->479 480 7ff68c7b55c9-7ff68c7b55cc 467->480 471 7ff68c7b5680 468->471 472 7ff68c7b54a1-7ff68c7b54d1 468->472 469->464 474 7ff68c7b5485-7ff68c7b5488 469->474 470->474 475 7ff68c7b5476-7ff68c7b547e 470->475 477 7ff68c7b5685-7ff68c7b56a1 471->477 472->471 476 7ff68c7b54d7-7ff68c7b54de 472->476 474->464 474->471 475->464 475->469 476->471 481 7ff68c7b54e4-7ff68c7b54e8 476->481 482 7ff68c7b5647-7ff68c7b567b call 7ff68c7b49a4 479->482 483 7ff68c7b55da-7ff68c7b55de 479->483 480->471 480->479 484 7ff68c7b54ee-7ff68c7b54f1 481->484 485 7ff68c7b559f-7ff68c7b55ad call 7ff68c7b3678 481->485 482->471 483->482 486 7ff68c7b55e0-7ff68c7b55e7 483->486 489 7ff68c7b54f3-7ff68c7b5508 call 7ff68c7b4520 484->489 490 7ff68c7b5556-7ff68c7b5559 484->490 485->471 486->482 491 7ff68c7b55e9-7ff68c7b55f0 486->491 496 7ff68c7b56a2-7ff68c7b56a7 abort 489->496 501 7ff68c7b550e-7ff68c7b5511 489->501 490->485 492 7ff68c7b555b-7ff68c7b5563 490->492 491->482 495 7ff68c7b55f2-7ff68c7b5605 call 7ff68c7b3bbc 491->495 492->496 497 7ff68c7b5569-7ff68c7b5593 492->497 495->482 508 7ff68c7b5607-7ff68c7b5645 495->508 497->496 500 7ff68c7b5599-7ff68c7b559d 497->500 505 7ff68c7b5546-7ff68c7b5551 call 7ff68c7b5cf0 500->505 502 7ff68c7b5513-7ff68c7b5538 501->502 503 7ff68c7b553a-7ff68c7b553d 501->503 502->503 503->496 506 7ff68c7b5543 503->506 505->471 506->505 508->477
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __except_validate_context_recordabort
                                                                                                        • String ID: csm$csm
                                                                                                        • API String ID: 746414643-3733052814
                                                                                                        • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                                        • Instruction ID: 1cc54d090e88d7363d3ae9d673299ffe564d4ea7c2384c05473cceaa32ba426f
                                                                                                        • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                                        • Instruction Fuzzy Hash: 0371AE32A086C2CADBA58F2595547797BA1FF44F99F14813AEA8D87A85CF3CD491CB00
                                                                                                        Function 00007FF68C7B195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                        • API String ID: 0-4114407318
                                                                                                        • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                                        • Instruction ID: 4304a80911d1796dc0ac81b70631607a36f058336961b8f6cfee7af22bd4be2a
                                                                                                        • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                                        • Instruction Fuzzy Hash: BB51D362A18B86C7E700CB29E4847AA67A1FF817D0F500139EA9D57BE9CF3DE041D740
                                                                                                        Function 00007FF68C7B5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                        • String ID: csm
                                                                                                        • API String ID: 2558813199-1018135373
                                                                                                        • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                                        • Instruction ID: 44bdacd40bb4cf811d1414a526a590d2613eef3129b3150ef956f6eba6441234
                                                                                                        • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                                        • Instruction Fuzzy Hash: BF513D33618786C6DA60AB26E44126E77B4FF88B94F140539EB8D97B55CF7CE461CB00
                                                                                                        Function 00007FF68C7B17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 00007FF68C7B17EB
                                                                                                        • WSAStartup.WS2_32 ref: 00007FF68C7B186C
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1475
                                                                                                          • Part of subcall function 00007FF68C7B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF68C7B1485
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B1494
                                                                                                          • Part of subcall function 00007FF68C7B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14B3
                                                                                                          • Part of subcall function 00007FF68C7B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14BE
                                                                                                          • Part of subcall function 00007FF68C7B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68C7B14C7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                                                        • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                                                        • API String ID: 1412700758-3183687674
                                                                                                        • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                                        • Instruction ID: f550a16e05fa5bddbe1749f692b0f6a4227f0235ed6365843114e9e72b83a6e4
                                                                                                        • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                                        • Instruction Fuzzy Hash: 4B01D422A18981E6F7619F12EC827FA6360BF89798F40003AEE0D87651CE3CD486C700
                                                                                                        Function 00007FF68C7B1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastgethostname
                                                                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                        • API String ID: 3782448640-4114407318
                                                                                                        • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                                        • Instruction ID: ad99f910397b7d184cdeb080ec8009b0ef22a71f4b9326989c68ca83c80070e7
                                                                                                        • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                                        • Instruction Fuzzy Hash: 2F11C221E1A547C6FA499F21A8617FA2290BF867B4F40123DEA6F976D6DD3CE042C340
                                                                                                        Function 00007FF68C7B4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: terminate
                                                                                                        • String ID: MOC$RCC$csm
                                                                                                        • API String ID: 1821763600-2671469338
                                                                                                        • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                                        • Instruction ID: 9cc6140371e572f237a15dc7887a56a9b32d53d5117bfe0144da2a2b71714108
                                                                                                        • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                                        • Instruction Fuzzy Hash: E4F0A93690824ED2EB246B61A1850AD33B4FF58B88F0C5439D71C9B292CF7CE4A1D702
                                                                                                        Function 00007FF68C7B20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF68C7B18EE), ref: 00007FF68C7B21E0
                                                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68C7B221E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                                        • String ID: Invalid process id '%d' error %d
                                                                                                        • API String ID: 73155330-4244389950
                                                                                                        • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                                        • Instruction ID: 371b1b8423c11cab981afa1863b7b366e241a4e113a80b6f7a3f9c88c316c82e
                                                                                                        • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                                        • Instruction Fuzzy Hash: F3312622B0A786D6EA149F26D9042B963A5FF05BD0F984639DF5D87BD5DE7CE050C300
                                                                                                        Function 00007FF68C7B3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68C7B173F), ref: 00007FF68C7B3FC8
                                                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68C7B173F), ref: 00007FF68C7B400E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1840940905.00007FF68C7B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF68C7B0000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.1840923329.00007FF68C7B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840969842.00007FF68C7B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1840998417.00007FF68C7BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                        • Associated: 00000007.00000002.1841030214.00007FF68C7BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ff68c7b0000_createdump.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                        • String ID: csm
                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                        • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                                        • Instruction ID: ca7a8e44fff7d8ae39fef1133d8d489e5f8d5186699c41d74912b07e148c5849
                                                                                                        • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                                        • Instruction Fuzzy Hash: 18113A36618B81C2EB218B25F44026977A0FF88B84F584234EE8D47B68DF3DD595CB00

                                                                                                        Non-executed Functions

                                                                                                        Function 00007FF7B7AB2A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
                                                                                                        • String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
                                                                                                        • API String ID: 2783795328-2826353358
                                                                                                        • Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                                                        • Instruction ID: 332f8e5ab3e0a37ec98a25edb7dee5f85b7c7f467b779446c49ea387ee7cb335
                                                                                                        • Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                                                        • Instruction Fuzzy Hash: 39A16521B1868255E794FB2DD4507F8A360FB6A788FC04136FB4D477A9DF2CE2568350
                                                                                                        Function 00007FF7B7AB2EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
                                                                                                        • String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
                                                                                                        • API String ID: 4192084208-164389310
                                                                                                        • Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                                                        • Instruction ID: 78a277700af892432cef8009d7fb6987c43a7722454a9d972e46c9413c80de3e
                                                                                                        • Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                                                        • Instruction Fuzzy Hash: 74E1A622A0868186EB50EF6DE8507BDA765FBAAB84F804135EF0D17768DF3CD546C710
                                                                                                        Function 00007FF7B7AB3C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 313767242-0
                                                                                                        • Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                                                        • Instruction ID: 831e55d978f92d35b8bc29e1187798df5c825643843a49c7aa64e3ae18a745fe
                                                                                                        • Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                                                        • Instruction Fuzzy Hash: C7318572609B8189EBA0AF68E8507EDB360FB95744F844439EB4D47BA8EF3CD149C710
                                                                                                        Function 00007FF7B7AB25C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7B7AB2570: printf.MSPDB140-MSVCRT ref: 00007FF7B7AB2587
                                                                                                          • Part of subcall function 00007FF7B7AB2530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF7B7AB2617,?,?,?,00007FF7B7AB1BD6,?,?,?,00007FF7B7AB1A02), ref: 00007FF7B7AB2552
                                                                                                        • puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7B7AB1BD6,?,?,?,00007FF7B7AB1A02), ref: 00007FF7B7AB28DF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: atoiprintfputs
                                                                                                        • String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
                                                                                                        • API String ID: 3402752964-4246942696
                                                                                                        • Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                                                        • Instruction ID: c0b79718f7aa7bab1b91c4e6a822000b2a0361e1b95019c10f6c75f952145658
                                                                                                        • Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                                                        • Instruction Fuzzy Hash: AC81196490865691F994FB5DA664CE8A391AB2A781FC50173FF0D477ADDF3CE207C220
                                                                                                        Function 00007FF7B7AB1C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
                                                                                                        • String ID: Error allocating memory for output$Error writing to '%s', %s
                                                                                                        • API String ID: 2637689336-4070097938
                                                                                                        • Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                                                        • Instruction ID: b982bb5b5d06c6a2e5d02f42d764419755c43d0c70a33a8f25888068ea5b538c
                                                                                                        • Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                                                        • Instruction Fuzzy Hash: EEA15F32609A8285E791AF6DE4407F9A760FB9AB88F840431EF8D0776DDF38D146C720
                                                                                                        Function 00007FF7B7AB1A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7B7AB1A6D
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB204A
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2065
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2080
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB209B
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB20B6
                                                                                                        • avformat_network_init.AVFORMAT-60 ref: 00007FF7B7AB1A85
                                                                                                        • av_guess_format.AVFORMAT-60 ref: 00007FF7B7AB1AAF
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B7AB1ABC
                                                                                                        • fprintf.MSPDB140-MSVCRT ref: 00007FF7B7AB1AD0
                                                                                                        • avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF7B7AB1AEC
                                                                                                        • av_strerror.AVUTIL-58 ref: 00007FF7B7AB1B19
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B7AB1B23
                                                                                                        • fprintf.MSPDB140-MSVCRT ref: 00007FF7B7AB1B38
                                                                                                          • Part of subcall function 00007FF7B7AB2910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7B7AB1B4C), ref: 00007FF7B7AB2939
                                                                                                          • Part of subcall function 00007FF7B7AB2370: avcodec_free_context.AVCODEC-60 ref: 00007FF7B7AB2388
                                                                                                          • Part of subcall function 00007FF7B7AB2370: av_free.AVUTIL-58 ref: 00007FF7B7AB23B1
                                                                                                          • Part of subcall function 00007FF7B7AB2370: avio_context_free.AVFORMAT-60 ref: 00007FF7B7AB23BD
                                                                                                          • Part of subcall function 00007FF7B7AB2370: avformat_free_context.AVFORMAT-60 ref: 00007FF7B7AB23CC
                                                                                                          • Part of subcall function 00007FF7B7AB2370: avcodec_free_context.AVCODEC-60 ref: 00007FF7B7AB2402
                                                                                                          • Part of subcall function 00007FF7B7AB2370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B7AB2415
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
                                                                                                        • String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
                                                                                                        • API String ID: 3777911973-2524251934
                                                                                                        • Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                                                        • Instruction ID: c23cc09d8c70ca45f8f1f2a1f18f806858b68f188aef351f8a343799de99cc18
                                                                                                        • Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                                                        • Instruction Fuzzy Hash: BA31B611A1864241FA94BB2DD411A79A350AFA7794FD05235FF1D073FEEF2CE5468720
                                                                                                        Function 00007FF7B7AB14B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
                                                                                                        • String ID: 2$Couldn't find codec '%s'$E
                                                                                                        • API String ID: 3726879996-2734579634
                                                                                                        • Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                                                        • Instruction ID: 5e3412839e6b8ec82e321c70ba681542f0c89a12704fa2831927535a3fdb14b9
                                                                                                        • Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                                                        • Instruction Fuzzy Hash: BD811B76608780CBD794DF19E54075DBBB0F78AB88F50402AEB8C87758DB7AD855CB00
                                                                                                        Function 00007FF7B7AB1250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
                                                                                                        • String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
                                                                                                        • API String ID: 3715327632-3279048111
                                                                                                        • Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                                                        • Instruction ID: e1376f544007d059dc28f20a17bd1f28a1220efaea6db96befb4dbc04eb8582b
                                                                                                        • Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                                                        • Instruction Fuzzy Hash: 46619D72604B8486D748DF1AE490BADBB60FB95B94F454036EF4E077A8DF38E056C710
                                                                                                        Function 00007FF7B7AB17A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3736584056-0
                                                                                                        • Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                                                        • Instruction ID: 103a09e77a8341993b02650d027581661f3259f8d0064038883a0c03ea47b2c5
                                                                                                        • Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                                                        • Instruction Fuzzy Hash: 20313322918A8181E791FF3CC4617FC6350FFA6B48F844131EF4D4A2AEDF2995868361
                                                                                                        Function 00007FF7B7AB2030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB204A
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2065
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2080
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB209B
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB20B6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strncmp
                                                                                                        • String ID: http$rist$srt$tcp$udp
                                                                                                        • API String ID: 1114863663-504309389
                                                                                                        • Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                                                        • Instruction ID: 0201643b7227921fa15f119d218222f2a2b20f53e3d196ced7da3e9449c2593b
                                                                                                        • Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                                                        • Instruction Fuzzy Hash: F4013C90B1850394FBA26F2EE450A246360AF66B95FD05035DB0C873B8DF2DE68BC330
                                                                                                        Function 00007FF7B7AB2160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2918620995-0
                                                                                                        • Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                                                        • Instruction ID: 868383664935a758dd0bda9e9734f672c4a12edceaa8adf4281a7a2f3ade0e6c
                                                                                                        • Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                                                        • Instruction Fuzzy Hash: 67415632618A8181D650EF29E4517ADA764FB96BD8F840032FF8D57BAECF3CD1968710
                                                                                                        Function 00007FF7B7AB35E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                                                                        • String ID:
                                                                                                        • API String ID: 1184979102-0
                                                                                                        • Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                                                        • Instruction ID: 7b13b99f49ba8f61aa88d65a125a4eae2c0cac73a9f79a6c6793c83bcb581355
                                                                                                        • Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                                                        • Instruction Fuzzy Hash: A9311821E0814281EA94BB6DA461BB9E291EF77784FD44039FB0D473FBDE2DE4468631
                                                                                                        Function 00007FF7B7AB2370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • avcodec_free_context.AVCODEC-60 ref: 00007FF7B7AB2388
                                                                                                        • avformat_free_context.AVFORMAT-60 ref: 00007FF7B7AB23CC
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB204A
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2065
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB2080
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB209B
                                                                                                          • Part of subcall function 00007FF7B7AB2030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7B7AB23A2), ref: 00007FF7B7AB20B6
                                                                                                        • av_free.AVUTIL-58 ref: 00007FF7B7AB23B1
                                                                                                        • avio_context_free.AVFORMAT-60 ref: 00007FF7B7AB23BD
                                                                                                        • avio_close.AVFORMAT-60 ref: 00007FF7B7AB23C4
                                                                                                        • avcodec_free_context.AVCODEC-60 ref: 00007FF7B7AB2402
                                                                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B7AB2415
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1086289117-0
                                                                                                        • Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                                                        • Instruction ID: 602d3faddaf1311c87a558f0b90d802546ef846b634a99bd857eb60f7ac4f612
                                                                                                        • Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                                                        • Instruction Fuzzy Hash: 00217122A0865182EB90AF2DD06077CA760FB96F84F555532EB4D477ADCF38D4578320
                                                                                                        Function 00007FF7B7AB2990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • avformat_new_stream.AVFORMAT-60(?,?,?,00007FF7B7AB12F1), ref: 00007FF7B7AB29AD
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7B7AB12F1), ref: 00007FF7B7AB29C0
                                                                                                        • fprintf.MSPDB140-MSVCRT ref: 00007FF7B7AB29D3
                                                                                                          • Part of subcall function 00007FF7B7AB2320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7B7AB29D8,?,?,?,00007FF7B7AB12F1), ref: 00007FF7B7AB2357
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.1842298969.00007FF7B7AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7B7AB0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.1842276897.00007FF7B7AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842320552.00007FF7B7AB5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842337538.00007FF7B7AB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.1842359982.00007FF7B7AB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7b7ab0000_obs-ffmpeg-mux.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
                                                                                                        • String ID: Couldn't create stream for encoder '%s'
                                                                                                        • API String ID: 306180413-3485626053
                                                                                                        • Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                                                        • Instruction ID: 10c7f47950befd572dca1009e67b79c63411fce630f758e0606d6eff158fd9ad
                                                                                                        • Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                                                        • Instruction Fuzzy Hash: BFF04F32A19A8081EA88DB1AF451469A760FB9DBD0B889035FF5D03769DE38D552CB00