Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.msi

Overview

General Information

Sample name:Setup.msi
Analysis ID:1583583
MD5:523591c4bc224a911b1b9d706cd7eab5
SHA1:4522d4d244b6bfe23664d862233783024b80933a
SHA256:82cf590a9b6eb15a555c556ba25b143a2ae1977379646a2b6990db15e3dff635
Tags:msiuser-Demigod
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7096 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7164 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4408 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 3652 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • obs-ffmpeg-mux.exe (PID: 2816 cmdline: "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)
        • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 6500 cmdline: "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Script Interpreter Execution From Suspicious Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4408, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3652, ProcessName: powershell.exe
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4408, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3652, ProcessName: powershell.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4408, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3652, ProcessName: powershell.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.32.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4408, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
    Sigma detected: Suspicious MsiExec Embedding Parent
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4408, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3652, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4408, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3652, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-03T05:47:08.564418+010028292021A Network Trojan was detected192.168.2.449730104.21.32.1443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Setup.msiVirustotal: Detection: 8%Perma Link
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B226FDD8-45CE-468C-BC02-427FB575E735}Jump to behavior
    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000000.1786420932.00007FF609548000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 00000009.00000000.1789090525.00007FF71D015000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000000.1786420932.00007FF609548000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSIA87D.tmp.1.dr, MSIA82D.tmp.1.dr, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.32.1:443
    Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: blamedical.com
    Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: blamedical.comContent-Length: 71Cache-Control: no-cache
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: avformat-60.dll.1.drString found in binary or memory: http://dashif.org/guidelines/trickmode
    Source: powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: Setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5b9f62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: powershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: http://schemas.micj
    Source: powershell.exe, 00000003.00000002.1733167241.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: avformat-60.dll.1.drString found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
    Source: powershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: Setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5b9f62.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: obs-ffmpeg-mux.exe, 00000009.00000002.1798010893.00007FFDF9940000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.videolan.org/x264.html
    Source: zlib.dll.1.drString found in binary or memory: http://www.zlib.net/D
    Source: powershell.exe, 00000003.00000002.1733167241.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: https://blamedical.com/updater.phpx
    Source: powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1733167241.0000000005895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: Setup.msi, 5b9f62.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b9f62.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7AF.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA85D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA87D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8BC.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EC.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA91C.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4C5.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B226FDD8-45CE-468C-BC02-427FB575E735}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA83.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA94.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b9f65.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b9f65.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA7AF.tmpJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 9_2_00007FF71D012EE09_2_00007FF71D012EE0
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 9_2_00007FF71D012A109_2_00007FF71D012A10
    Source: avcodec-60.dll.1.drStatic PE information: Number of sections : 13 > 10
    Source: avutil-58.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swresample-4.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swscale-7.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: zlib.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: avformat-60.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: Setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs Setup.msi
    Source: Setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs Setup.msi
    Source: classification engineClassification label: mal68.evad.winMSI@18/88@1/1
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLC374.tmpJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF8858D8B98AEEA206.TMPJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
    Source: Setup.msiVirustotal: Detection: 8%
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: dbgcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: obs.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avcodec-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avformat-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: w32-pthreads.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeSection loaded: swresample-4.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B226FDD8-45CE-468C-BC02-427FB575E735}Jump to behavior
    Source: Setup.msiStatic file information: File size 60710400 > 1048576
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000000.1786420932.00007FF609548000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 00000009.00000000.1789090525.00007FF71D015000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000000.1786420932.00007FF609548000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: Setup.msi, 5b9f62.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSIA87D.tmp.1.dr, MSIA82D.tmp.1.dr, 5b9f62.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 5b9f62.msi.1.dr
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
    Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
    Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
    Source: createdump.exe.1.drStatic PE information: section name: _RDATA
    Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
    Source: avformat-60.dll.1.drStatic PE information: section name: .xdata
    Source: avutil-58.dll.1.drStatic PE information: section name: .xdata
    Source: swresample-4.dll.1.drStatic PE information: section name: .xdata
    Source: swscale-7.dll.1.drStatic PE information: section name: .xdata
    Source: zlib.dll.1.drStatic PE information: section name: .xdata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .rodata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .xdata
    Source: MSIBA94.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA7AF.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA82D.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA85D.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA87D.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA8BC.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA8EC.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA91C.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIB4C5.tmp.1.drStatic PE information: section name: .fptable
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0504BDA2 push esp; ret 3_2_0504BDB3
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07B70B99 push FFFFFFC3h; ret 3_2_07B70BEE
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA87D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA91C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8BC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA85D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7AF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4C5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA94.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA94.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8EC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA85D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA87D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA91C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7AF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8BC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB4C5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4631Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA85D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA87D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA91C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA7AF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB4C5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA94.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA8EC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA8BC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeAPI coverage: 8.2 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520Thread sleep count: 4631 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep count: 286 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5844Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: obs-ffmpeg-mux.exe, 00000009.00000002.1798010893.00007FFDF952A000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Video @j
    Source: 5b9f62.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: Setup.msiBinary or memory string: vmCi^
    Source: obs-ffmpeg-mux.exe, 00000009.00000002.1798010893.00007FFDF941D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware Screen Codec / VMware Video
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 6_2_00007FF609542ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF609542ECC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 6_2_00007FF609543074 SetUnhandledExceptionFilter,6_2_00007FF609543074
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 6_2_00007FF609542ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF609542ECC
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 6_2_00007FF609542984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF609542984
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 9_2_00007FF71D013774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF71D013774
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 9_2_00007FF71D013C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF71D013C5C
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exeCode function: 9_2_00007FF71D013E04 SetUnhandledExceptionFilter,9_2_00007FF71D013E04

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssbb88.ps1" -propfile "c:\users\user\appdata\local\temp\msibb75.txt" -scriptfile "c:\users\user\appdata\local\temp\scrbb76.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrbb77.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssbb88.ps1" -propfile "c:\users\user\appdata\local\temp\msibb75.txt" -scriptfile "c:\users\user\appdata\local\temp\scrbb76.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrbb77.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exeCode function: 6_2_00007FF609542DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FF609542DA0

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		1
    Replication Through Removable Media    		1
    Command and Scripting Interpreter    		1
    Windows Service    		1
    Windows Service    		21
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    Scripting    		11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory11
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583583 Sample: Setup.msi Startdate: 03/01/2025 Architecture: WINDOWS Score: 68 51 blamedical.com 2->51 57 Suricata IDS alerts for network traffic 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 138 104 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 37 C:\Windows\Installer\MSIBA94.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSIB4C5.tmp, PE32 9->39 dropped 41 C:\Windows\Installer\MSIA91C.tmp, PE32 9->41 dropped 43 51 other files (none is malicious) 9->43 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 53 blamedical.com 104.21.32.1, 443, 49730 CLOUDFLARENETUS United States 14->53 45 C:\Users\user\AppData\Local\...\scrBB76.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\pssBB88.ps1, Unicode 14->47 dropped 49 C:\Users\user\AppData\Local\...\msiBB75.txt, Unicode 14->49 dropped 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 conhost.exe 14->25         started        27 obs-ffmpeg-mux.exe 1 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        file8 signatures9 process10 process11 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Setup.msi8%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dll3%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dll0%ReversingLabs
    C:\Windows\Installer\MSIA7AF.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA82D.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA85D.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA87D.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA8BC.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA8EC.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA91C.tmp0%ReversingLabs
    C:\Windows\Installer\MSIB4C5.tmp0%ReversingLabs
    C:\Windows\Installer\MSIBA94.tmp0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://schemas.micj0%Avira URL Cloudsafe
    http://dashif.org/guidelines/trickmode0%Avira URL Cloudsafe
    https://blamedical.com/updater.php0%Avira URL Cloudsafe
    https://blamedical.com/updater.phpx0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    blamedical.com
    		104.21.32.1
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://blamedical.com/updater.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1733167241.00000000051D1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.zlib.net/Dzlib.dll.1.drfalse
                		high
                https://go.micropowershell.exe, 00000003.00000002.1733167241.0000000005895000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.videolan.org/x264.htmlobs-ffmpeg-mux.exe, 00000009.00000002.1798010893.00007FFDF9940000.00000002.00000001.01000000.00000008.sdmpfalse
                    		high
                    https://contoso.com/powershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://dashif.org/guidelines/trickmodeavformat-60.dll.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000003.00000002.1735203041.0000000006238000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.micjSetup.msi, 5b9f62.msi.1.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsdavformat-60.dll.1.drfalse
                              		high
                              https://aka.ms/winui2/webview2download/Reload():Setup.msi, 5b9f62.msi.1.drfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1733167241.00000000051D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1733167241.0000000005326000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://blamedical.com/updater.phpxSetup.msi, 5b9f62.msi.1.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.32.1
                                    		blamedical.comUnited States
                                    		13335CLOUDFLARENETUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1583583
                                    Start date and time:2025-01-03 05:46:13 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 34s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Setup.msi
                                    Detection:MAL
                                    Classification:mal68.evad.winMSI@18/88@1/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 15
                                    • Number of non-executed functions: 34
                                    Cookbook Comments:
                                    • Found application associated with file extension: .msi

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 2816 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 3652 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    23:47:09API Interceptor3x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.21.32.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                    • redroomaudio.com/administrator/index.php

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    blamedical.com6a7e35.msiGet hashmaliciousUnknownBrowse
                                    • 104.21.32.1

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSPO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                    • 104.21.67.152
                                    http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12Get hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                                    • 104.20.4.235
                                    https://myburbank-uat.3didemo.comGet hashmaliciousHTMLPhisherBrowse
                                    • 104.26.13.57
                                    hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                    • 172.67.19.24
                                    http://hotelyetipokhara.comGet hashmaliciousUnknownBrowse
                                    • 104.21.96.1
                                    https://realpaperworks.com/wp-content/red/UhPIYaGet hashmaliciousUnknownBrowse
                                    • 104.21.96.1
                                    http://adflowtube.comGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    http://authmycookie.comGet hashmaliciousUnknownBrowse
                                    • 172.67.198.196
                                    http://keywestlending.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                    • 172.64.154.248

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1
                                    file.exeGet hashmaliciousXRedBrowse
                                    • 104.21.32.1

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exe6a7e35.msiGet hashmaliciousUnknownBrowse
                                      setup.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          setup.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              setup.msiGet hashmaliciousUnknownBrowse
                                                48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                    TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                                      b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                                        C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exe6a7e35.msiGet hashmaliciousUnknownBrowse
                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                    48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                        TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                                                          b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse

                                                                            Created / dropped Files

                                                                            C:\Config.Msi\5b9f64.rbs

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):20056
                                                                            Entropy (8bit):5.838477874158953
                                                                            Encrypted:false
                                                                            SSDEEP:384:WUUGcQt7Sz5BuHbpjkLOOkskNpIoj2Eql5UMFhr3q5eh9W6WbFTIa9r4YtVmUwgQ:WUUGcQt7Sz5BuHbpjkLOOkskNpIoj2Em
                                                                            MD5:44FDB3316428BDF5FD159BFA1D966838
                                                                            SHA1:5D0961640BF723909027FE468AFFA00D90616CF9
                                                                            SHA-256:68D8F71CEE414122BC6870516821AA3F44AD74923316CE8BAE783256A096176F
                                                                            SHA-512:4645FF70F799B75C469FAFA15A986ACA72F31CE34229BFAE75E8C73C69AF20537B0DB62496DDE0AC7F225DCD5BC27AFAFC3AA00CAB477522B234E40E3329568F
                                                                            Malicious:false
                                                                            Preview:...@IXOS.@.....@."Z.@.....@.....@.....@.....@.....@......&.{B226FDD8-45CE-468C-BC02-427FB575E735}..Triund App..Setup.msi.@.....@.....@.....@......icon_24.exe..&.{407D30C8-5796-4E25-8C18-75DF537E90CA}.....@.....@.....@.....@.......@.....@.....@.......@......Triund App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{B226FDD8-45CE-468C-BC02-427FB575E735}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{B226FDD8-45CE-46

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1360
                                                                            Entropy (8bit):5.413197223328133
                                                                            Encrypted:false
                                                                            SSDEEP:24:3UWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:EWSU4y4RQmFoUeWmfmZ9tK8NWR823Vbu
                                                                            MD5:4EE98ECBC11472A5F2C270505F6B3879
                                                                            SHA1:8522F7DA43966CA85A15553AB079EE3877350FF3
                                                                            SHA-256:E2BD932F23DB7A52BE4921DB1C3D25BCDC2E9AA6CEEF34D68596CA2A6D97D454
                                                                            SHA-512:D48EDFA575431893A668FED2BC500529D41BF3583C48B8C3080296CAE41F1657B8715A40BFA8565436F31685EC25C0A93903D3E3532426178C9890C16D35BF1D
                                                                            Malicious:false
                                                                            Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjac4w5w.vq2.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0nh2bcp.hzo.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\msiBB75.txt

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):100
                                                                            Entropy (8bit):3.0073551160284637
                                                                            Encrypted:false
                                                                            SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                                            MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                                            SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                                            SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                                            SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                                            Malicious:true
                                                                            Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                            C:\Users\user\AppData\Local\Temp\pssBB88.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6668
                                                                            Entropy (8bit):3.5127462716425657
                                                                            Encrypted:false
                                                                            SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                            MD5:30C30EF2CB47E35101D13402B5661179
                                                                            SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                            SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                            SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                            Malicious:true
                                                                            Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                            C:\Users\user\AppData\Local\Temp\scrBB76.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):254
                                                                            Entropy (8bit):3.555045878547657
                                                                            Encrypted:false
                                                                            SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                                            MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                                            SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                                            SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                                            SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                                            Malicious:true
                                                                            Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Installer\{B226FDD8-45CE-468C-BC02-427FB575E735}\icon_24.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                            Category:dropped
                                                                            Size (bytes):195906
                                                                            Entropy (8bit):4.669224805215773
                                                                            Encrypted:false
                                                                            SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                                            MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                                            SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                                            SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                                            SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                                            Malicious:false
                                                                            Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\BCUninstaller.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):310928
                                                                            Entropy (8bit):6.001677789306043
                                                                            Encrypted:false
                                                                            SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                            MD5:147B71C906F421AC77F534821F80A0C6
                                                                            SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                            SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                            SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                                            • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\UnRar.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):506008
                                                                            Entropy (8bit):6.4284173495366845
                                                                            Encrypted:false
                                                                            SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                            MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                            SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                            SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                            SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                            • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                                            • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12224
                                                                            Entropy (8bit):6.596101286914553
                                                                            Encrypted:false
                                                                            SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                            MD5:919E653868A3D9F0C9865941573025DF
                                                                            SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                            SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                            SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-console-l1-2-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12224
                                                                            Entropy (8bit):6.640081558424349
                                                                            Encrypted:false
                                                                            SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                            MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                            SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                            SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                            SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-datetime-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11712
                                                                            Entropy (8bit):6.6023398138369505
                                                                            Encrypted:false
                                                                            SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                            MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                            SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                            SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                            SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-debug-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.614262942006268
                                                                            Encrypted:false
                                                                            SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                            MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                            SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                            SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                            SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.654155040985372
                                                                            Encrypted:false
                                                                            SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                            MD5:94788729C9E7B9C888F4E323A27AB548
                                                                            SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                            SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                            SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15304
                                                                            Entropy (8bit):6.548897063441128
                                                                            Encrypted:false
                                                                            SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                            MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                            SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                            SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                            SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l1-2-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11712
                                                                            Entropy (8bit):6.622041192039296
                                                                            Encrypted:false
                                                                            SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                            MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                            SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                            SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                            SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-file-l2-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.730719514840594
                                                                            Encrypted:false
                                                                            SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                            MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                            SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                            SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                            SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-handle-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.626458901834476
                                                                            Encrypted:false
                                                                            SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                            MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                            SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                            SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                            SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-heap-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12232
                                                                            Entropy (8bit):6.577869728469469
                                                                            Encrypted:false
                                                                            SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                            MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                            SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                            SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                            SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-interlocked-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11712
                                                                            Entropy (8bit):6.6496318655699795
                                                                            Encrypted:false
                                                                            SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                            MD5:A038716D7BBD490378B26642C0C18E94
                                                                            SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                            SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                            SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12736
                                                                            Entropy (8bit):6.587452239016064
                                                                            Encrypted:false
                                                                            SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                            MD5:D75144FCB3897425A855A270331E38C9
                                                                            SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                            SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                            SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-localization-l1-2-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):14280
                                                                            Entropy (8bit):6.658205945107734
                                                                            Encrypted:false
                                                                            SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                            MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                            SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                            SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                            SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-memory-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12224
                                                                            Entropy (8bit):6.621310788423453
                                                                            Encrypted:false
                                                                            SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                            MD5:808F1CB8F155E871A33D85510A360E9E
                                                                            SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                            SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                            SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.7263193693903345
                                                                            Encrypted:false
                                                                            SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                            MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                            SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                            SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                            SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12744
                                                                            Entropy (8bit):6.601327134572443
                                                                            Encrypted:false
                                                                            SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                            MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                            SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                            SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                            SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):14272
                                                                            Entropy (8bit):6.519411559704781
                                                                            Encrypted:false
                                                                            SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                            MD5:E173F3AB46096482C4361378F6DCB261
                                                                            SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                            SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                            SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-processthreads-l1-1-1.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12232
                                                                            Entropy (8bit):6.659079053710614
                                                                            Encrypted:false
                                                                            SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                            MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                            SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                            SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                            SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-profile-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11200
                                                                            Entropy (8bit):6.7627840671368835
                                                                            Encrypted:false
                                                                            SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                            MD5:0233F97324AAAA048F705D999244BC71
                                                                            SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                            SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                            SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12224
                                                                            Entropy (8bit):6.590253878523919
                                                                            Encrypted:false
                                                                            SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                            MD5:E1BA66696901CF9B456559861F92786E
                                                                            SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                            SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                            SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-string-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.672720452347989
                                                                            Encrypted:false
                                                                            SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                            MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                            SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                            SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                            SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13760
                                                                            Entropy (8bit):6.575688560984027
                                                                            Encrypted:false
                                                                            SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                            MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                            SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                            SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                            SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-synch-l1-2-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12232
                                                                            Entropy (8bit):6.70261983917014
                                                                            Encrypted:false
                                                                            SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                            MD5:D175430EFF058838CEE2E334951F6C9C
                                                                            SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                            SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                            SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12744
                                                                            Entropy (8bit):6.599515320379107
                                                                            Encrypted:false
                                                                            SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                            MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                            SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                            SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                            SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-timezone-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12232
                                                                            Entropy (8bit):6.690164913578267
                                                                            Encrypted:false
                                                                            SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                            MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                            SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                            SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                            SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-core-util-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11720
                                                                            Entropy (8bit):6.615761482304143
                                                                            Encrypted:false
                                                                            SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                            MD5:735636096B86B761DA49EF26A1C7F779
                                                                            SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                            SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                            SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-conio-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12744
                                                                            Entropy (8bit):6.627282858694643
                                                                            Encrypted:false
                                                                            SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                            MD5:031DC390780AC08F498E82A5604EF1EB
                                                                            SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                            SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                            SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-convert-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15816
                                                                            Entropy (8bit):6.435326465651674
                                                                            Encrypted:false
                                                                            SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                            MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                            SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                            SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                            SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-environment-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12232
                                                                            Entropy (8bit):6.5874576656353145
                                                                            Encrypted:false
                                                                            SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                            MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                            SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                            SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                            SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13768
                                                                            Entropy (8bit):6.645869978118917
                                                                            Encrypted:false
                                                                            SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                            MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                            SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                            SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                            SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avcodec-60.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):37333152
                                                                            Entropy (8bit):6.632921864082428
                                                                            Encrypted:false
                                                                            SSDEEP:393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
                                                                            MD5:32F56F3E644C4AC8C258022C93E62765
                                                                            SHA1:06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
                                                                            SHA-256:85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
                                                                            SHA-512:CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avformat-60.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5100112
                                                                            Entropy (8bit):6.374242928276845
                                                                            Encrypted:false
                                                                            SSDEEP:49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
                                                                            MD5:01589E66D46ABCD9ACB739DA4B542CE4
                                                                            SHA1:6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
                                                                            SHA-256:9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
                                                                            SHA-512:0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\avutil-58.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1089600
                                                                            Entropy (8bit):6.535744457220272
                                                                            Encrypted:false
                                                                            SSDEEP:24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
                                                                            MD5:3AAF57892F2D66F4A4F0575C6194F0F8
                                                                            SHA1:D65C9143603940EDE756D7363AB6750F6B45AB4E
                                                                            SHA-256:9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
                                                                            SHA-512:A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):57488
                                                                            Entropy (8bit):6.382541157520703
                                                                            Encrypted:false
                                                                            SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                            MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                            SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                            SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                            SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\iwhgjds.rar

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:RAR archive data, v5
                                                                            Category:dropped
                                                                            Size (bytes):405486
                                                                            Entropy (8bit):7.999602157187265
                                                                            Encrypted:true
                                                                            SSDEEP:12288:hcLW3D1/z6+lXMmBpDYhV6DCg7FGkqun3OLK5igRE:WCD1/NXzBZY76DCg7FGkqu3OL8m
                                                                            MD5:99CB3FCF1A0AAE292694F6C280DD13B3
                                                                            SHA1:853C3577C33D6FCBF085CBBFF1DA7346D8D819EB
                                                                            SHA-256:DABFF953C7F3B4338EE537253529DC351A954E95B30E6DFD34F083016F5D6886
                                                                            SHA-512:AA2E9FA0CE0008645E56EB981B78740666E20D84B688DE46A0C023A0E38C902BD19C5CA0506B77F8976EC31D29B834CE021FF95A88756E82511AC8F94301D588
                                                                            Malicious:false
                                                                            Preview:Rar!....eb..!......"M+...{.C....q..~!.V......B........~..=!T.UI..:IC....B5.a..r..q..F.....9....c9v"#....H/;3:..g..~Z......Xd;....r.b.v.H.Y.E..`K.[.X.dW....).'.#....e..>..M....:.S[...!v.....c^".+.@.CH.3.-]tN.U2..GY..y.?._..gS...;%u...H.R'..._W...$.uC..}|...=.......&....JmB..TH.C.j..|.......&....".Qs.^....v......t*.mH.k}!*..[t..d.V*q.....\.:......t.+.K...........c....rP(.&.......I&......+..R..l.;.....j....*...........4.4.zC.L...5F...^.l.F7...ey.....(.8.-...Y....R..l.]../.3..........c.<d.S..A..tM.....C..@Q&...O.Q./+........p.i..4..U...S{..x..K...!."..*.36g.u&9....... ........./.b..pQ.+z....C..i.....%.;.b..1YV.-..c9u`m>........n=.u..g.Sy..C...|r......<.....5yfb.].u@... w.dqp.....5....+.t..!..'.......G.......+......m.....6.2H.^G.jUr%U|+i.2pH.....9..G.c&....n#..|.`.}..}.INU!.....v..N..m.6H..v..E*.U7.Do....RH.`..Eg.1....7v.$wA....>...c..C.=0R=.......x..:?......|y.P..BY.....V.&i.iZ....0...K.Gg*..BW.....D....9..n/...Yr..&.u..=q...H.-A.l

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\msvcp140.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):566704
                                                                            Entropy (8bit):6.494428734965787
                                                                            Encrypted:false
                                                                            SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                            MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                            SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                            SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                            SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):35656
                                                                            Entropy (8bit):6.370522595411868
                                                                            Encrypted:false
                                                                            SSDEEP:768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
                                                                            MD5:D3CAC4D7B35BACAE314F48C374452D71
                                                                            SHA1:95D2980786BC36FEC50733B9843FDE9EAB081918
                                                                            SHA-256:4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
                                                                            SHA-512:21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):22
                                                                            Entropy (8bit):3.879664004902594
                                                                            Encrypted:false
                                                                            SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                            MD5:D9324699E54DC12B3B207C7433E1711C
                                                                            SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                            SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                            SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                            Malicious:false
                                                                            Preview:@echo off..Start "" %1

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swresample-4.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):158968
                                                                            Entropy (8bit):6.4238235663554955
                                                                            Encrypted:false
                                                                            SSDEEP:1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
                                                                            MD5:7FB892E2AC9FF6981B6411FF1F932556
                                                                            SHA1:861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
                                                                            SHA-256:A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
                                                                            SHA-512:986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\swscale-7.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):707200
                                                                            Entropy (8bit):6.610520126248797
                                                                            Encrypted:false
                                                                            SSDEEP:12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
                                                                            MD5:1144E36E0F8F739DB55A7CF9D4E21E1B
                                                                            SHA1:9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
                                                                            SHA-256:65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
                                                                            SHA-512:A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\classes.jsa

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):12124160
                                                                            Entropy (8bit):4.1175508751036585
                                                                            Encrypted:false
                                                                            SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                            MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                            SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                            SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                            SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                            Malicious:false
                                                                            Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.datatransfer.jmod

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Java jmod module version 1.0
                                                                            Category:dropped
                                                                            Size (bytes):51389
                                                                            Entropy (8bit):7.916683616123071
                                                                            Encrypted:false
                                                                            SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                            MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                            SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                            SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                            SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                            Malicious:false
                                                                            Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.instrument.jmod

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Java jmod module version 1.0
                                                                            Category:dropped
                                                                            Size (bytes):41127
                                                                            Entropy (8bit):7.961466748192397
                                                                            Encrypted:false
                                                                            SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                            MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                            SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                            SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                            SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                            Malicious:false
                                                                            Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.logging.jmod

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Java jmod module version 1.0
                                                                            Category:dropped
                                                                            Size (bytes):113725
                                                                            Entropy (8bit):7.928841651831531
                                                                            Encrypted:false
                                                                            SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                            MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                            SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                            SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                            SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                            Malicious:false
                                                                            Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\una_front\java.management.jmod

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Java jmod module version 1.0
                                                                            Category:dropped
                                                                            Size (bytes):896846
                                                                            Entropy (8bit):7.923431656723031
                                                                            Encrypted:false
                                                                            SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                            MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                            SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                            SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                            SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                            Malicious:false
                                                                            Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):639224
                                                                            Entropy (8bit):6.219852228773659
                                                                            Encrypted:false
                                                                            SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                            MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                            SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                            SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                            SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):98224
                                                                            Entropy (8bit):6.452201564717313
                                                                            Encrypted:false
                                                                            SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                            MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                            SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                            SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                            SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140_1.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):37256
                                                                            Entropy (8bit):6.297533243519742
                                                                            Encrypted:false
                                                                            SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                            MD5:135359D350F72AD4BF716B764D39E749
                                                                            SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                            SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                            SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\w32-pthreads.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):53576
                                                                            Entropy (8bit):6.371750593889357
                                                                            Encrypted:false
                                                                            SSDEEP:1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
                                                                            MD5:E1EEBD44F9F4B52229D6E54155876056
                                                                            SHA1:052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
                                                                            SHA-256:D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
                                                                            SHA-512:235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\zlib.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):144200
                                                                            Entropy (8bit):6.592048391646652
                                                                            Encrypted:false
                                                                            SSDEEP:1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
                                                                            MD5:3A0DBC5701D20AA87BE5680111A47662
                                                                            SHA1:BC581374CA1EBE8565DB182AC75FB37413220F03
                                                                            SHA-256:D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
                                                                            SHA-512:4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

                                                                            C:\Windows\Installer\5b9f62.msi

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {407D30C8-5796-4E25-8C18-75DF537E90CA}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 1 23:05:44 2025, Last Saved Time/Date: Wed Jan 1 23:05:44 2025, Last Printed: Wed Jan 1 23:05:44 2025, Number of Pages: 450
                                                                            Category:dropped
                                                                            Size (bytes):60710400
                                                                            Entropy (8bit):7.21442765814377
                                                                            Encrypted:false
                                                                            SSDEEP:1572864:8r8VmrjV7eIvnOTZScazQOie5juBl7lgAF:GHzccye1uBxl1
                                                                            MD5:523591C4BC224A911B1B9D706CD7EAB5
                                                                            SHA1:4522D4D244B6BFE23664D862233783024B80933A
                                                                            SHA-256:82CF590A9B6EB15A555C556BA25B143A2AE1977379646A2B6990DB15E3DFF635
                                                                            SHA-512:A8F8280D3895B24EF2080E33AA952305195233E055BCE747E24CD43904165E2D16601974013BEC96ED2FF11E1D16A72C6ADB899F7D3309F4ADA07DFD9E5F5F4F
                                                                            Malicious:false
                                                                            Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                            C:\Windows\Installer\5b9f65.msi

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {407D30C8-5796-4E25-8C18-75DF537E90CA}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 1 23:05:44 2025, Last Saved Time/Date: Wed Jan 1 23:05:44 2025, Last Printed: Wed Jan 1 23:05:44 2025, Number of Pages: 450
                                                                            Category:dropped
                                                                            Size (bytes):60710400
                                                                            Entropy (8bit):7.21442765814377
                                                                            Encrypted:false
                                                                            SSDEEP:1572864:8r8VmrjV7eIvnOTZScazQOie5juBl7lgAF:GHzccye1uBxl1
                                                                            MD5:523591C4BC224A911B1B9D706CD7EAB5
                                                                            SHA1:4522D4D244B6BFE23664D862233783024B80933A
                                                                            SHA-256:82CF590A9B6EB15A555C556BA25B143A2AE1977379646A2B6990DB15E3DFF635
                                                                            SHA-512:A8F8280D3895B24EF2080E33AA952305195233E055BCE747E24CD43904165E2D16601974013BEC96ED2FF11E1D16A72C6ADB899F7D3309F4ADA07DFD9E5F5F4F
                                                                            Malicious:false
                                                                            Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                            C:\Windows\Installer\MSIA7AF.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA82D.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA85D.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA87D.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA8BC.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1201504
                                                                            Entropy (8bit):6.4557937684843365
                                                                            Encrypted:false
                                                                            SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                            MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                            SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                            SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                            SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA8EC.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIA91C.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1021792
                                                                            Entropy (8bit):6.608727172078022
                                                                            Encrypted:false
                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIB4C5.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):380520
                                                                            Entropy (8bit):6.512348002260683
                                                                            Encrypted:false
                                                                            SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                            MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                            SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                            SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                            SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\MSIBA83.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):215344
                                                                            Entropy (8bit):4.946202186881796
                                                                            Encrypted:false
                                                                            SSDEEP:1536:4u19WTC1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykw5:4Q9J1Z0vZXJZYDFufyXbJNCc8
                                                                            MD5:B9A16058B5C33B57B4EEFAAD6FD5703D
                                                                            SHA1:E585EC26E68BDC67E885F19768A040499C5369C8
                                                                            SHA-256:C97DE1ACEB35967F7E5EDEC609283A4C42FBE3933B75448347E374FD64456FFD
                                                                            SHA-512:E98AC7267DF6C5BBBFDB44825D859D073F3C86240DA082B963F3B6508483E51BD2B914D8C218F6AA89F4020550B8530BC11123962AAAFC227D45BE25A9E8DAD7
                                                                            Malicious:false
                                                                            Preview:...@IXOS.@.....@."Z.@.....@.....@.....@.....@.....@......&.{B226FDD8-45CE-468C-BC02-427FB575E735}..Triund App..Setup.msi.@.....@.....@.....@......icon_24.exe..&.{407D30C8-5796-4E25-8C18-75DF537E90CA}.....@.....@.....@.....@.......@.....@.....@.......@......Triund App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}<.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}1.21:\Software\Ubrovs Apps Coops\Triund App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}E.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}L.C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D-

                                                                            C:\Windows\Installer\MSIBA94.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):787808
                                                                            Entropy (8bit):6.693392695195763
                                                                            Encrypted:false
                                                                            SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                            MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                            SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                            SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                            SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\SourceHash{B226FDD8-45CE-468C-BC02-427FB575E735}

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):20480
                                                                            Entropy (8bit):1.1614322252363025
                                                                            Encrypted:false
                                                                            SSDEEP:12:JSbX72FjbAGiLIlHVRpMh/7777777777777777777777777vDHFL7NM8pUp3Xl0G:JVQI5cZpW6F
                                                                            MD5:A60CFF8D32069DB04B532A6DC185D8C8
                                                                            SHA1:96BA132A4C313B89977FE8F765F14870DE996163
                                                                            SHA-256:38CAE5ABC62AFF2AC7FE9997092DD158C229000158D4C01FAE8B344F5C6972B2
                                                                            SHA-512:E0778FCC5B99F09F1E8296B4F28891094A736DF2FCF3FA7E0A1A24C33B21831EF3BDD98855786EAB8C21528B584865B4533F34B960B135EEB2002067CF44E675
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):20480
                                                                            Entropy (8bit):1.5694495463631415
                                                                            Encrypted:false
                                                                            SSDEEP:48:w8PhluRc06WXOCnT5SpjAqgMoAECiCyDSCpoMXuASC4TSS:fhl1UnTwnEC83X1
                                                                            MD5:0A4BF34EF113DAB2C159AAA4EF61D3A0
                                                                            SHA1:67EAD72BDF2E8F642435F2B09D83D98B06F5C504
                                                                            SHA-256:BB4096C895509D1D68A03867B23F12AD7A1B4B3F3C03FF4EB4610255BC909799
                                                                            SHA-512:41704F6F81D605D5F1EEEB4C67769BE9A546A678B976866AAF0F2B2A11F273E6B85F08106FA2FABC2D60823BAEB286939E708215812F94CE68424C47F54DD11C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):432221
                                                                            Entropy (8bit):5.375162276674252
                                                                            Encrypted:false
                                                                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpEr0
                                                                            MD5:76C98BE6BA07E92D5DC8F5E1EFC8F2B0
                                                                            SHA1:00575DCA40FBD98020563FA66DDD7DDE229B4DE0
                                                                            SHA-256:19C1682AFA7B1381475F814A0F16F490A4FC3DCC933497D95A9E093C7B757C59
                                                                            SHA-512:66FDA5AAC4FFC34B140F2C4126B0F83BAF4A187222AEE06216958919B1345252823025FE989AD22DC5567E431A78DECFFADF2FC0B89E2B60627A45D77D0E9609
                                                                            Malicious:false
                                                                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                            C:\Windows\Temp\~DF02C4F844647BD6DE.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):32768
                                                                            Entropy (8bit):1.2572990505463375
                                                                            Encrypted:false
                                                                            SSDEEP:48:wgduBNvcFXOxT5jpjAqgMoAECiCyDSCpoMXuASC4TSS:ZdXsTXnEC83X1
                                                                            MD5:EC1196B57F12A011DE760D8877467780
                                                                            SHA1:77B3A631C0128D8A22B0CFFA1E93CD5E334835E2
                                                                            SHA-256:3D7E61AA4C74FDD34B49A06E4535D8CCE38B6AF164B6385E7F75E2314B1806A7
                                                                            SHA-512:FF3C44375D7FE116243D89518FD15F9000B5771FE7533D6EDE80F368CF0358392986127982B86D044010218782B597A47B7B576853CA793C217AB57D8A20064C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DF0EE2B14B00501954.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DF4D81BD6707661E77.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):32768
                                                                            Entropy (8bit):0.06823849633429507
                                                                            Encrypted:false
                                                                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOL7NM8pEg2QyVky6l3X:2F0i8n0itFzDHFL7NM8pV3X
                                                                            MD5:190ACB9E5B589E3677D248AFAC896A3D
                                                                            SHA1:E0B92BA0AF220F73E9E8BEDA8A1213665B37B8BF
                                                                            SHA-256:CA55476D67C75C6301C9D22C489391C3CCDE153C9329BB17163C671DA24E5787
                                                                            SHA-512:B7C23033E513C0498EC37ECF6ED6CC4621A26D2C321F617EBFAE627E981D0A7DCEAFD958FC4CF727547A17C7A98549162155ACC96A1D00C4AFF214026BC65EF3
                                                                            Malicious:false
                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DF5A087CCD3A153D0E.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):32768
                                                                            Entropy (8bit):1.2572990505463375
                                                                            Encrypted:false
                                                                            SSDEEP:48:wgduBNvcFXOxT5jpjAqgMoAECiCyDSCpoMXuASC4TSS:ZdXsTXnEC83X1
                                                                            MD5:EC1196B57F12A011DE760D8877467780
                                                                            SHA1:77B3A631C0128D8A22B0CFFA1E93CD5E334835E2
                                                                            SHA-256:3D7E61AA4C74FDD34B49A06E4535D8CCE38B6AF164B6385E7F75E2314B1806A7
                                                                            SHA-512:FF3C44375D7FE116243D89518FD15F9000B5771FE7533D6EDE80F368CF0358392986127982B86D044010218782B597A47B7B576853CA793C217AB57D8A20064C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DF776D01A57A889D08.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):32768
                                                                            Entropy (8bit):1.2572990505463375
                                                                            Encrypted:false
                                                                            SSDEEP:48:wgduBNvcFXOxT5jpjAqgMoAECiCyDSCpoMXuASC4TSS:ZdXsTXnEC83X1
                                                                            MD5:EC1196B57F12A011DE760D8877467780
                                                                            SHA1:77B3A631C0128D8A22B0CFFA1E93CD5E334835E2
                                                                            SHA-256:3D7E61AA4C74FDD34B49A06E4535D8CCE38B6AF164B6385E7F75E2314B1806A7
                                                                            SHA-512:FF3C44375D7FE116243D89518FD15F9000B5771FE7533D6EDE80F368CF0358392986127982B86D044010218782B597A47B7B576853CA793C217AB57D8A20064C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DF8858D8B98AEEA206.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):73728
                                                                            Entropy (8bit):0.1390699935475277
                                                                            Encrypted:false
                                                                            SSDEEP:24:mxAZsTxkrcipVkrukrUMoAEVkryjCyDipVkrFV2BwG6r80iQ+ISp:mSyTeASCVgMoAECiCyDSCpoMXiQkp
                                                                            MD5:B19AFEB1CC67FAE605B055C52E2DC3DD
                                                                            SHA1:2ABED87BB0CD6B6B2673783220CACA5E42B58C29
                                                                            SHA-256:E2EADAD4EFC69053D8F2C1ADC242D91F40970E3C849ABA824B7F6B8E5DB91EB8
                                                                            SHA-512:5C8FBEA25C057EAF153C32444578E22FE561DB97386B96FF74A6D5CB280AA6B4CE96F2207C480C080355648BF47224388DD3BCA6B3C99576D891D130FBDD9EC4
                                                                            Malicious:false
                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFCB2D6D1DFF8C9206.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFCD67FD03D85668EB.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFCE6E9D8F0934CDEF.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFD1D06BB5862C5705.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):20480
                                                                            Entropy (8bit):1.5694495463631415
                                                                            Encrypted:false
                                                                            SSDEEP:48:w8PhluRc06WXOCnT5SpjAqgMoAECiCyDSCpoMXuASC4TSS:fhl1UnTwnEC83X1
                                                                            MD5:0A4BF34EF113DAB2C159AAA4EF61D3A0
                                                                            SHA1:67EAD72BDF2E8F642435F2B09D83D98B06F5C504
                                                                            SHA-256:BB4096C895509D1D68A03867B23F12AD7A1B4B3F3C03FF4EB4610255BC909799
                                                                            SHA-512:41704F6F81D605D5F1EEEB4C67769BE9A546A678B976866AAF0F2B2A11F273E6B85F08106FA2FABC2D60823BAEB286939E708215812F94CE68424C47F54DD11C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFDBC5458D1C444E1E.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\Temp\~DFEB9D58D75D678328.TMP

                                                                            Download File
                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                            Category:dropped
                                                                            Size (bytes):20480
                                                                            Entropy (8bit):1.5694495463631415
                                                                            Encrypted:false
                                                                            SSDEEP:48:w8PhluRc06WXOCnT5SpjAqgMoAECiCyDSCpoMXuASC4TSS:fhl1UnTwnEC83X1
                                                                            MD5:0A4BF34EF113DAB2C159AAA4EF61D3A0
                                                                            SHA1:67EAD72BDF2E8F642435F2B09D83D98B06F5C504
                                                                            SHA-256:BB4096C895509D1D68A03867B23F12AD7A1B4B3F3C03FF4EB4610255BC909799
                                                                            SHA-512:41704F6F81D605D5F1EEEB4C67769BE9A546A678B976866AAF0F2B2A11F273E6B85F08106FA2FABC2D60823BAEB286939E708215812F94CE68424C47F54DD11C
                                                                            Malicious:false
                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            \Device\ConDrv

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):638
                                                                            Entropy (8bit):4.751962275036146
                                                                            Encrypted:false
                                                                            SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                            MD5:15CA959638E74EEC47E0830B90D0696E
                                                                            SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                            SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                            SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                            Malicious:false
                                                                            Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                            Static File Info

                                                                            General

                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {407D30C8-5796-4E25-8C18-75DF537E90CA}, Number of Words: 10, Subject: Triund App, Author: Ubrovs Apps Coops, Name of Creating Application: Triund App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Triund App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 1 23:05:44 2025, Last Saved Time/Date: Wed Jan 1 23:05:44 2025, Last Printed: Wed Jan 1 23:05:44 2025, Number of Pages: 450
                                                                            Entropy (8bit):7.21442765814377
                                                                            TrID:
                                                                            • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                            File name:Setup.msi
                                                                            File size:60'710'400 bytes
                                                                            MD5:523591c4bc224a911b1b9d706cd7eab5
                                                                            SHA1:4522d4d244b6bfe23664d862233783024b80933a
                                                                            SHA256:82cf590a9b6eb15a555c556ba25b143a2ae1977379646a2b6990db15e3dff635
                                                                            SHA512:a8f8280d3895b24ef2080e33aa952305195233e055bce747e24cd43904165e2d16601974013bec96ed2ff11e1d16a72c6adb899f7d3309f4ada07dfd9e5f5f4f
                                                                            SSDEEP:1572864:8r8VmrjV7eIvnOTZScazQOie5juBl7lgAF:GHzccye1uBxl1
                                                                            TLSH:D9D76C01B3FA4148F2F75EB17EBA85A5947ABD521B30C0EF1244A60E1B71BC25BB1763
                                                                            File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                            File Icon

                                                                            Icon Hash:2d2e3797b32b2b99

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-03T05:47:08.564418+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.32.1443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 3, 2025 05:47:08.024344921 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.024393082 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:08.024481058 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.028558969 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.028574944 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:08.511998892 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:08.512065887 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.559715986 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.559734106 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:08.559962988 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:08.560012102 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.564306021 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.564367056 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:08.564400911 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:09.027237892 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:09.027287960 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:09.027338982 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:09.027359962 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:09.027827024 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:09.027846098 CET44349730104.21.32.1192.168.2.4
                                                                            Jan 3, 2025 05:47:09.027853966 CET49730443192.168.2.4104.21.32.1
                                                                            Jan 3, 2025 05:47:09.027899027 CET49730443192.168.2.4104.21.32.1

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 3, 2025 05:47:07.825272083 CET6487853192.168.2.41.1.1.1
                                                                            Jan 3, 2025 05:47:08.019750118 CET53648781.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 3, 2025 05:47:07.825272083 CET192.168.2.41.1.1.10xb741Standard query (0)blamedical.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.32.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.48.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.96.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.64.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.112.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.16.1A (IP address)IN (0x0001)false
                                                                            Jan 3, 2025 05:47:08.019750118 CET1.1.1.1192.168.2.40xb741No error (0)blamedical.com104.21.80.1A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • blamedical.com

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730104.21.32.14434408C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-03 04:47:08 UTC192OUTPOST /updater.php HTTP/1.1
                                                                            Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                            User-Agent: AdvancedInstaller
                                                                            Host: blamedical.com
                                                                            Content-Length: 71
                                                                            Cache-Control: no-cache
                                                                            2025-01-03 04:47:08 UTC71OUTData Raw: 44 61 74 65 3d 30 32 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 32 33 25 33 41 34 37 25 33 41 30 36 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                            Data Ascii: Date=02%2F01%2F2025&Time=23%3A47%3A06&BuildVersion=8.9.9&SoroqVins=True
                                                                            2025-01-03 04:47:09 UTC836INHTTP/1.1 500 Internal Server Error
                                                                            Date: Fri, 03 Jan 2025 04:47:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Cache-Control: no-store
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NXStoBl6q5gxEanrbR6%2BOOsuydgkxVGVJW4ytvsi1exEn4d81bgfTY0aWkUjLqUmmWjjtwV67ai3Ftv4vzCtzzz7dnrAU3T15XCVMEPl%2Fmenjg%2F1BFGW5Fn%2B5IL%2BJoq0KQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fc0595eddfd4344-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1718&rtt_var=652&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=923&delivery_rate=1666666&cwnd=47&unsent_bytes=0&cid=c0c031a4098c742b&ts=529&x=0"
                                                                            2025-01-03 04:47:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:23:47:01
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
                                                                            Imagebase:0x7ff615a30000
                                                                            File size:69'632 bytes
                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:23:47:01
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\msiexec.exe /V
                                                                            Imagebase:0x7ff615a30000
                                                                            File size:69'632 bytes
                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:2
                                                                            Start time:23:47:03
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8F0616FDCCEEE0FB673056B78EC724D0
                                                                            Imagebase:0x590000
                                                                            File size:59'904 bytes
                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:23:47:08
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssBB88.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiBB75.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrBB76.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrBB77.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                            Imagebase:0x410000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:23:47:08
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\suriqk.bat" "C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe""
                                                                            Imagebase:0x7ff6f7110000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:6
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\createdump.exe"
                                                                            Imagebase:0x7ff609540000
                                                                            File size:57'488 bytes
                                                                            MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f330000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\Ubrovs Apps Coops\Triund App\obs-ffmpeg-mux.exe"
                                                                            Imagebase:0x7ff71d010000
                                                                            File size:35'656 bytes
                                                                            MD5 hash:D3CAC4D7B35BACAE314F48C374452D71
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:23:47:15
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:23:47:26
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 07B71B50 Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1736815578.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7b70000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q
                                                                              • API String ID: 0-831282457
                                                                              • Opcode ID: 0d680e50ddba209312f3359c654cb24a92e6fa308723fc6857d681fd7e2aad74
                                                                              • Instruction ID: c1f9ca9394137e3dfdf823a18047c028ceba49ceffb25812cd26b29221e55e8b
                                                                              • Opcode Fuzzy Hash: 0d680e50ddba209312f3359c654cb24a92e6fa308723fc6857d681fd7e2aad74
                                                                              • Instruction Fuzzy Hash: DC6115B070420E9FEB148FBDD44066A7BE6EFC5210F1484AAE465CF291DB31C945C7B1
                                                                              Function 07B71B35 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1736815578.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7b70000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q
                                                                              • API String ID: 0-355816377
                                                                              • Opcode ID: 7a5206a2d243c00793510dddc77e4d4e3e20a8c0e0870eeaacea8251e8f074e3
                                                                              • Instruction ID: e7feaf93075b887e867f6c2bd5f08190b955a382393c685f957f57aa4198ad95
                                                                              • Opcode Fuzzy Hash: 7a5206a2d243c00793510dddc77e4d4e3e20a8c0e0870eeaacea8251e8f074e3
                                                                              • Instruction Fuzzy Hash: 423194F0A0420EDFEB25CF6DC5846A57BF1EF82210F1885EAE4658F291E335D945CB61
                                                                              Function 05048478 Relevance: .3, Instructions: 266COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e26d5cf566c86f11fdba19e00a58930119c99e34bf55af5cf13ac4cdd8e6326a
                                                                              • Instruction ID: a5a20c2331c73cdfdd9c8d352482808c5214265de03792c09e7784ec96901582
                                                                              • Opcode Fuzzy Hash: e26d5cf566c86f11fdba19e00a58930119c99e34bf55af5cf13ac4cdd8e6326a
                                                                              • Instruction Fuzzy Hash: A1A15E71A002089FDB14DFA4E554AADB7F6FF84350F158969D806AB268DB34ED89CF80
                                                                              Function 05048BC8 Relevance: .2, Instructions: 196COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bddf83a7a6a51d905861acc16a1b04ae13868cadc7538ffa45a7239d22a4b127
                                                                              • Instruction ID: 3c5933cc8151d1aefc1e1ae197ac8e6ea1a969e25926eeb4e588df32fdd691ee
                                                                              • Opcode Fuzzy Hash: bddf83a7a6a51d905861acc16a1b04ae13868cadc7538ffa45a7239d22a4b127
                                                                              • Instruction Fuzzy Hash: C8719F70A002098FCB14DF68D884AAEFBF6FF45354F14897AE8159B651DB35AC46CB90
                                                                              Function 05048D36 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 92afba1cc2936476862a978e868adbec6e57f3522d66463fd9be80d4bc346fa9
                                                                              • Instruction ID: 7ea5dc16896e81ad5814c2ab2092cef9091492c01fc16ec6b1a4698dcb328e24
                                                                              • Opcode Fuzzy Hash: 92afba1cc2936476862a978e868adbec6e57f3522d66463fd9be80d4bc346fa9
                                                                              • Instruction Fuzzy Hash: F4712C70A00208DFDB15DFB5E444BADBBF6BF84344F148929D416AB2A0DB34AC46CF51
                                                                              Function 05048959 Relevance: .1, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a876bcdf18d9726210ba042b14ac08496fb324712ae5a502819a4c224c9be779
                                                                              • Instruction ID: 576d0dd8add238106c65a4a7eb247fcfe131424008defd70719170269fc88bde
                                                                              • Opcode Fuzzy Hash: a876bcdf18d9726210ba042b14ac08496fb324712ae5a502819a4c224c9be779
                                                                              • Instruction Fuzzy Hash: 4D5170716002048FDB14EF74D594AAEBBF2EF89790F198569E506EB3A0DB349C45CB90
                                                                              Function 05048BB3 Relevance: .1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b06d9474bc578eab9f06cad9fde85767b9803f74622ee6e9d82bf8d2ab7ace9f
                                                                              • Instruction ID: 7cab98f958ea77e8be369cf8ccbf7059311ab5643b6a68836a49556f7adbd313
                                                                              • Opcode Fuzzy Hash: b06d9474bc578eab9f06cad9fde85767b9803f74622ee6e9d82bf8d2ab7ace9f
                                                                              • Instruction Fuzzy Hash: AB413AB0A00608DFDB14EFA9D484AADBBF2BF84344F158929D406AB394DB74A845CB90
                                                                              Function 05043A80 Relevance: .1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 34525545fc5ec55d1ec056cf20ebb79b887f05f5769f539585fddcf645775f5b
                                                                              • Instruction ID: 0c407a54fac24b70b989914a9144d5f7244e808727ca37451de9dfec173f0f5b
                                                                              • Opcode Fuzzy Hash: 34525545fc5ec55d1ec056cf20ebb79b887f05f5769f539585fddcf645775f5b
                                                                              • Instruction Fuzzy Hash: F1315EB47086408F8395DA28A02076DFBF3FBC5290309E9B9E546CB751DB34FC868B91
                                                                              Function 05043E85 Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1a6cc731ad7a17b4779762c2b9ce9162a476eb5c0e0e637e3a2eb5c432a53e8d
                                                                              • Instruction ID: b46061d077541b50db1029cc0bac11afd48689eec7dc685f28df363f6febf6d1
                                                                              • Opcode Fuzzy Hash: 1a6cc731ad7a17b4779762c2b9ce9162a476eb5c0e0e637e3a2eb5c432a53e8d
                                                                              • Instruction Fuzzy Hash: 89115B3150E2E08FCB03AB6CD8B05D9BF70EF46224B1940D3D0949B1A3C615899DC7A6
                                                                              Function 04B5D01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1732728896.0000000004B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B5D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4b5d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb1a68629bfcdcef38ceff8cd63fc9e9cd3f47b19deeeb74dd8e75058ffaf44c
                                                                              • Instruction ID: 01d67ae8036d97abbc17f30aee1ce221356039f70a0f91aad346c75d70bcbaa7
                                                                              • Opcode Fuzzy Hash: eb1a68629bfcdcef38ceff8cd63fc9e9cd3f47b19deeeb74dd8e75058ffaf44c
                                                                              • Instruction Fuzzy Hash: B9012B71108300AAE7104E39DD84767FF9CDF41324F0CC6A9EC484B256D279E842C6B1
                                                                              Function 04B5D005 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1732728896.0000000004B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B5D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4b5d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fd6ee2161890f4772cda0f38bb14eda706bd866eb67a7a504526f75a53610659
                                                                              • Instruction ID: a4453ff5fb7536cf91330dcf79c9a060f12b7c2b8400f5121b4082a2a7884acf
                                                                              • Opcode Fuzzy Hash: fd6ee2161890f4772cda0f38bb14eda706bd866eb67a7a504526f75a53610659
                                                                              • Instruction Fuzzy Hash: 4501406110E3C05ED7128B2599A4B52BFB8DF53224F1CC5DBDD888F2A3C2699845C772
                                                                              Function 050488ED Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1733018861.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_5040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1615035fd173ddeb895c835f2dc73b97a7847080ee4d9777e13f286b99a79d02
                                                                              • Instruction ID: 7b6ffaef598f04d1095ceaea34e9c8da6d1741ccb95ccc6546fe7a2f2b2d202f
                                                                              • Opcode Fuzzy Hash: 1615035fd173ddeb895c835f2dc73b97a7847080ee4d9777e13f286b99a79d02
                                                                              • Instruction Fuzzy Hash: 9DF03070A8060ADFDB04DBA4D595B6EBBB2EF44344F148928D5029F3A8DB799D488BC0

                                                                              Non-executed Functions

                                                                              Function 07B71658 Relevance: 10.3, Strings: 8, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1736815578.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7b70000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1611378414
                                                                              • Opcode ID: 0712a1a3ebf03586175385e43782401b63654edf8da4f9a851c83cad09ac8115
                                                                              • Instruction ID: 1bab361830a4017935bc2d737ff5d259ae9866f7bbbfd2aca894bf889d0b0ab0
                                                                              • Opcode Fuzzy Hash: 0712a1a3ebf03586175385e43782401b63654edf8da4f9a851c83cad09ac8115
                                                                              • Instruction Fuzzy Hash: 9B9138F170424D8FEB158A6C980466ABBE6EFC6610F1884EBD554CF392CA32DC45C7B2
                                                                              Function 07B70898 Relevance: 10.2, Strings: 8, Instructions: 179COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1736815578.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7b70000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3732357466
                                                                              • Opcode ID: d6d86ea5e4449ae14bc4d9cd315451db7cc16fac3c9ce68b747a43149af2b3cf
                                                                              • Instruction ID: 78bd7bb51782425644f0e443c4fbe037fa60d630618a02a23673c980db0a50ae
                                                                              • Opcode Fuzzy Hash: d6d86ea5e4449ae14bc4d9cd315451db7cc16fac3c9ce68b747a43149af2b3cf
                                                                              • Instruction Fuzzy Hash: A75129F5B0430ACFEB25AA2D980466BBBB5EFD6210F1484FBD465CB351DA32C845C7A1
                                                                              Function 07B704D1 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1736815578.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7b70000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: c8807e229f16cee34b4c9e33c5ca711283812dc16ff6c65cf7d6f2e4242bf9a2
                                                                              • Instruction ID: 04ef12244c13158869b3f1c9081b78725303167cf06a8c4192f6cc4ef53bb4f8
                                                                              • Opcode Fuzzy Hash: c8807e229f16cee34b4c9e33c5ca711283812dc16ff6c65cf7d6f2e4242bf9a2
                                                                              • Instruction Fuzzy Hash: 9A01F2A170E3860FD73B12281C645A6AFB65F8351036905DBC091CF29BCD199C8AC3A3

                                                                              Execution Graph

                                                                              Execution Coverage:3.4%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:1.7%
                                                                              Total number of Nodes:701
                                                                              Total number of Limit Nodes:1
                                                                              execution_graph 2961 7ff609547559 2964 7ff609544158 2961->2964 2965 7ff609544170 2964->2965 2966 7ff609544182 2964->2966 2965->2966 2968 7ff609544178 2965->2968 2967 7ff6095443d0 ExFilterRethrow 10 API calls 2966->2967 2969 7ff609544187 2967->2969 2970 7ff6095443d0 ExFilterRethrow 10 API calls 2968->2970 2973 7ff609544180 2968->2973 2971 7ff6095443d0 ExFilterRethrow 10 API calls 2969->2971 2969->2973 2972 7ff6095441a7 2970->2972 2971->2973 2974 7ff6095443d0 ExFilterRethrow 10 API calls 2972->2974 2975 7ff6095441b4 terminate 2974->2975 2502 7ff609541b18 _time64 2503 7ff609541b34 2502->2503 2503->2503 2504 7ff609541bf1 2503->2504 2518 7ff609541ee0 2503->2518 2507 7ff609541c34 BuildCatchObjectHelperInternal 2504->2507 2532 7ff609542230 2504->2532 2508 7ff609541da2 _invalid_parameter_noinfo_noreturn 2507->2508 2510 7ff6095418a0 2507->2510 2509 7ff609541da9 WSAGetLastError 2508->2509 2511 7ff609541450 6 API calls 2509->2511 2512 7ff609541d76 2510->2512 2513 7ff609541dd0 2510->2513 2515 7ff6095420c0 21 API calls 2510->2515 2511->2512 2514 7ff609542660 __GSHandlerCheck_EH 8 API calls 2512->2514 2516 7ff609541450 6 API calls 2513->2516 2517 7ff609541d87 2514->2517 2515->2510 2516->2512 2521 7ff609541f25 2518->2521 2531 7ff609541f04 BuildCatchObjectHelperInternal 2518->2531 2519 7ff609542031 2520 7ff6095417e0 21 API calls 2519->2520 2522 7ff609542036 2520->2522 2521->2519 2523 7ff609541fa9 2521->2523 2524 7ff609541f74 2521->2524 2526 7ff609541720 Concurrency::cancel_current_task 4 API calls 2522->2526 2528 7ff609542690 5 API calls 2523->2528 2530 7ff609541f92 BuildCatchObjectHelperInternal 2523->2530 2524->2522 2525 7ff609542690 5 API calls 2524->2525 2525->2530 2529 7ff60954203c 2526->2529 2527 7ff60954202a _invalid_parameter_noinfo_noreturn 2527->2519 2528->2530 2530->2527 2530->2531 2531->2504 2533 7ff6095423ab 2532->2533 2534 7ff60954225e 2532->2534 2536 7ff6095417e0 21 API calls 2533->2536 2535 7ff6095422be 2534->2535 2538 7ff6095422e6 2534->2538 2539 7ff6095422b1 2534->2539 2540 7ff609542690 5 API calls 2535->2540 2537 7ff6095423b0 2536->2537 2541 7ff609541720 Concurrency::cancel_current_task 4 API calls 2537->2541 2544 7ff609542690 5 API calls 2538->2544 2545 7ff6095422cf BuildCatchObjectHelperInternal 2538->2545 2539->2535 2539->2537 2540->2545 2542 7ff6095423b6 2541->2542 2543 7ff609542364 _invalid_parameter_noinfo_noreturn 2546 7ff609542357 BuildCatchObjectHelperInternal 2543->2546 2544->2545 2545->2543 2545->2546 2546->2507 2976 7ff6095474d6 2977 7ff609543b54 11 API calls 2976->2977 2982 7ff6095474e9 2977->2982 2978 7ff60954751a __GSHandlerCheck_EH 2979 7ff6095443d0 ExFilterRethrow 10 API calls 2978->2979 2980 7ff60954752e 2979->2980 2981 7ff6095443d0 ExFilterRethrow 10 API calls 2980->2981 2983 7ff60954753b 2981->2983 2982->2978 2984 7ff609544104 10 API calls 2982->2984 2985 7ff6095443d0 ExFilterRethrow 10 API calls 2983->2985 2984->2978 2986 7ff609547548 2985->2986 2547 7ff60954191a 2548 7ff60954194d 2547->2548 2549 7ff6095418a0 2547->2549 2550 7ff6095420c0 21 API calls 2548->2550 2551 7ff609541dd0 2549->2551 2553 7ff6095420c0 21 API calls 2549->2553 2556 7ff609541d76 2549->2556 2550->2549 2554 7ff609541450 6 API calls 2551->2554 2552 7ff609542660 __GSHandlerCheck_EH 8 API calls 2555 7ff609541d87 2552->2555 2553->2549 2554->2556 2556->2552 2557 7ff60954291a 2558 7ff609543020 __scrt_is_managed_app GetModuleHandleW 2557->2558 2559 7ff609542921 2558->2559 2560 7ff609542960 _exit 2559->2560 2561 7ff609542925 2559->2561 2562 7ff6095416a0 2565 7ff609543d50 2562->2565 2564 7ff6095416c7 2566 7ff609543d67 2565->2566 2567 7ff609543d5f free 2565->2567 2566->2564 2567->2566 2987 7ff609545860 2988 7ff6095443d0 ExFilterRethrow 10 API calls 2987->2988 2989 7ff6095458ad 2988->2989 2990 7ff6095443d0 ExFilterRethrow 10 API calls 2989->2990 2991 7ff6095458bb __except_validate_context_record 2990->2991 2992 7ff6095443d0 ExFilterRethrow 10 API calls 2991->2992 2993 7ff609545914 2992->2993 2994 7ff6095443d0 ExFilterRethrow 10 API calls 2993->2994 2995 7ff60954591d 2994->2995 2996 7ff6095443d0 ExFilterRethrow 10 API calls 2995->2996 2997 7ff609545926 2996->2997 3016 7ff609543b18 2997->3016 3000 7ff6095443d0 ExFilterRethrow 10 API calls 3001 7ff609545959 3000->3001 3002 7ff609545aa9 abort 3001->3002 3003 7ff609545991 3001->3003 3004 7ff609543b54 11 API calls 3003->3004 3009 7ff609545a31 3004->3009 3005 7ff609545a5a __GSHandlerCheck_EH 3006 7ff6095443d0 ExFilterRethrow 10 API calls 3005->3006 3007 7ff609545a6d 3006->3007 3008 7ff6095443d0 ExFilterRethrow 10 API calls 3007->3008 3010 7ff609545a76 3008->3010 3009->3005 3011 7ff609544104 10 API calls 3009->3011 3012 7ff6095443d0 ExFilterRethrow 10 API calls 3010->3012 3011->3005 3013 7ff609545a7f 3012->3013 3014 7ff6095443d0 ExFilterRethrow 10 API calls 3013->3014 3015 7ff609545a8e 3014->3015 3017 7ff6095443d0 ExFilterRethrow 10 API calls 3016->3017 3018 7ff609543b29 3017->3018 3019 7ff609543b34 3018->3019 3020 7ff6095443d0 ExFilterRethrow 10 API calls 3018->3020 3021 7ff6095443d0 ExFilterRethrow 10 API calls 3019->3021 3020->3019 3022 7ff609543b45 3021->3022 3022->3000 3022->3001 3023 7ff609547260 3024 7ff609547280 3023->3024 3025 7ff609547273 3023->3025 3026 7ff609541e80 _invalid_parameter_noinfo_noreturn 3025->3026 3026->3024 3027 7ff609541ce0 3028 7ff609542688 5 API calls 3027->3028 3029 7ff609541cea gethostname 3028->3029 3030 7ff609541da9 WSAGetLastError 3029->3030 3031 7ff609541d08 3029->3031 3032 7ff609541450 6 API calls 3030->3032 3041 7ff609542040 3031->3041 3033 7ff609541d76 3032->3033 3035 7ff609542660 __GSHandlerCheck_EH 8 API calls 3033->3035 3036 7ff609541d87 3035->3036 3037 7ff6095418a0 3037->3033 3038 7ff609541dd0 3037->3038 3039 7ff6095420c0 21 API calls 3037->3039 3040 7ff609541450 6 API calls 3038->3040 3039->3037 3040->3033 3042 7ff6095420a2 3041->3042 3045 7ff609542063 BuildCatchObjectHelperInternal 3041->3045 3043 7ff609542230 22 API calls 3042->3043 3044 7ff6095420b5 3043->3044 3044->3037 3045->3037 3049 7ff60954195f 3050 7ff60954196d 3049->3050 3051 7ff609541a23 3050->3051 3052 7ff609541ee0 22 API calls 3050->3052 3053 7ff609542230 22 API calls 3051->3053 3054 7ff609541a67 BuildCatchObjectHelperInternal 3051->3054 3052->3051 3053->3054 3055 7ff609541da2 _invalid_parameter_noinfo_noreturn 3054->3055 3057 7ff6095418a0 3054->3057 3056 7ff609541da9 WSAGetLastError 3055->3056 3058 7ff609541450 6 API calls 3056->3058 3059 7ff609541d76 3057->3059 3060 7ff609541dd0 3057->3060 3062 7ff6095420c0 21 API calls 3057->3062 3058->3059 3061 7ff609542660 __GSHandlerCheck_EH 8 API calls 3059->3061 3063 7ff609541450 6 API calls 3060->3063 3064 7ff609541d87 3061->3064 3062->3057 3063->3059 2568 7ff609544024 2575 7ff60954642c 2568->2575 2571 7ff609544031 2587 7ff609546714 2575->2587 2578 7ff609546460 __vcrt_uninitialize_locks DeleteCriticalSection 2579 7ff60954402d 2578->2579 2579->2571 2580 7ff6095444ac 2579->2580 2592 7ff6095465e8 2580->2592 2588 7ff609546498 __vcrt_FlsAlloc 5 API calls 2587->2588 2589 7ff60954674a 2588->2589 2590 7ff60954675f InitializeCriticalSectionAndSpinCount 2589->2590 2591 7ff609546444 2589->2591 2590->2591 2591->2578 2591->2579 2593 7ff609546498 __vcrt_FlsAlloc 5 API calls 2592->2593 2594 7ff60954660d TlsAlloc 2593->2594 2596 7ff6095474a7 2599 7ff609545cc0 2596->2599 2604 7ff609545c38 2599->2604 2602 7ff609545ce0 2605 7ff609545c5a 2604->2605 2607 7ff609545ca3 2604->2607 2606 7ff6095443d0 ExFilterRethrow 10 API calls 2605->2606 2605->2607 2606->2607 2607->2602 2608 7ff6095443d0 2607->2608 2611 7ff6095443ec 2608->2611 2610 7ff6095443d9 2610->2602 2612 7ff60954440b GetLastError 2611->2612 2613 7ff609544404 2611->2613 2625 7ff609546678 2612->2625 2613->2610 2626 7ff609546498 __vcrt_FlsAlloc 5 API calls 2625->2626 2627 7ff60954669f TlsGetValue 2626->2627 2629 7ff6095459ad 2630 7ff6095443d0 ExFilterRethrow 10 API calls 2629->2630 2631 7ff6095459ba 2630->2631 2632 7ff6095443d0 ExFilterRethrow 10 API calls 2631->2632 2634 7ff6095459c3 __GSHandlerCheck_EH 2632->2634 2633 7ff609545a0a RaiseException 2635 7ff609545a29 2633->2635 2634->2633 2648 7ff609543b54 2635->2648 2637 7ff6095443d0 ExFilterRethrow 10 API calls 2638 7ff609545a6d 2637->2638 2639 7ff6095443d0 ExFilterRethrow 10 API calls 2638->2639 2641 7ff609545a76 2639->2641 2643 7ff6095443d0 ExFilterRethrow 10 API calls 2641->2643 2644 7ff609545a7f 2643->2644 2645 7ff6095443d0 ExFilterRethrow 10 API calls 2644->2645 2647 7ff609545a8e 2645->2647 2646 7ff609545a5a __GSHandlerCheck_EH 2646->2637 2649 7ff6095443d0 ExFilterRethrow 10 API calls 2648->2649 2650 7ff609543b66 2649->2650 2651 7ff609543ba1 abort 2650->2651 2652 7ff6095443d0 ExFilterRethrow 10 API calls 2650->2652 2653 7ff609543b71 2652->2653 2653->2651 2654 7ff609543b8d 2653->2654 2655 7ff6095443d0 ExFilterRethrow 10 API calls 2654->2655 2656 7ff609543b92 2655->2656 2656->2646 2657 7ff609544104 2656->2657 2658 7ff6095443d0 ExFilterRethrow 10 API calls 2657->2658 2659 7ff609544112 2658->2659 2659->2646 2256 7ff6095427ec 2279 7ff609542b8c 2256->2279 2259 7ff60954280d 2262 7ff60954294d 2259->2262 2263 7ff60954282b __scrt_release_startup_lock 2259->2263 2260 7ff609542943 2319 7ff609542ecc IsProcessorFeaturePresent 2260->2319 2264 7ff609542ecc 7 API calls 2262->2264 2266 7ff609542850 2263->2266 2268 7ff6095428d6 _get_initial_narrow_environment __p___argv __p___argc 2263->2268 2272 7ff6095428ce _register_thread_local_exe_atexit_callback 2263->2272 2265 7ff609542958 2264->2265 2267 7ff609542960 _exit 2265->2267 2285 7ff609541060 2268->2285 2272->2268 2274 7ff609542903 2275 7ff609542908 _cexit 2274->2275 2276 7ff60954290d 2274->2276 2275->2276 2315 7ff609542d20 2276->2315 2326 7ff60954316c 2279->2326 2282 7ff609542805 2282->2259 2282->2260 2283 7ff609542bbb __scrt_initialize_crt 2283->2282 2328 7ff60954404c 2283->2328 2286 7ff609541386 2285->2286 2310 7ff6095410b4 2285->2310 2355 7ff609541450 __acrt_iob_func 2286->2355 2288 7ff609541399 2313 7ff609543020 GetModuleHandleW 2288->2313 2289 7ff609541289 2289->2286 2290 7ff60954129f 2289->2290 2360 7ff609542688 2290->2360 2292 7ff6095412a9 2294 7ff6095412b9 GetTempPathA 2292->2294 2295 7ff609541325 2292->2295 2293 7ff609541125 strcmp 2293->2310 2298 7ff6095412e9 strcat_s 2294->2298 2299 7ff6095412cb GetLastError 2294->2299 2369 7ff6095423c0 2295->2369 2296 7ff609541151 strcmp 2296->2310 2298->2295 2302 7ff609541304 2298->2302 2301 7ff609541450 6 API calls 2299->2301 2305 7ff6095412df GetLastError 2301->2305 2306 7ff609541450 6 API calls 2302->2306 2303 7ff609541344 __acrt_iob_func fflush __acrt_iob_func fflush 2309 7ff609541312 2303->2309 2304 7ff60954117d strcmp 2304->2310 2305->2309 2306->2309 2309->2288 2310->2289 2310->2293 2310->2296 2310->2304 2311 7ff609541226 strcmp 2310->2311 2311->2310 2312 7ff609541239 atoi 2311->2312 2312->2310 2314 7ff6095428ff 2313->2314 2314->2265 2314->2274 2317 7ff609542d31 __scrt_initialize_crt 2315->2317 2316 7ff609542916 2316->2266 2317->2316 2318 7ff60954404c __scrt_initialize_crt 7 API calls 2317->2318 2318->2316 2320 7ff609542ef2 2319->2320 2321 7ff609542f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff609542f76 2321->2322 2323 7ff609542f3a RtlVirtualUnwind 2321->2323 2324 7ff609542fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2322->2324 2323->2322 2325 7ff609542ffa 2324->2325 2325->2262 2327 7ff609542bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2283 2329 7ff60954405e 2328->2329 2330 7ff609544054 2328->2330 2329->2282 2334 7ff6095444f4 2330->2334 2335 7ff609544059 2334->2335 2336 7ff609544503 2334->2336 2338 7ff609546460 2335->2338 2342 7ff609546630 2336->2342 2339 7ff60954648b 2338->2339 2340 7ff60954648f 2339->2340 2341 7ff60954646e DeleteCriticalSection 2339->2341 2340->2329 2341->2339 2346 7ff609546498 2342->2346 2347 7ff6095465b2 TlsFree 2346->2347 2352 7ff6095464dc 2346->2352 2348 7ff60954650a LoadLibraryExW 2350 7ff60954652b GetLastError 2348->2350 2351 7ff609546581 2348->2351 2349 7ff6095465a1 GetProcAddress 2349->2347 2350->2352 2351->2349 2353 7ff609546598 FreeLibrary 2351->2353 2352->2347 2352->2348 2352->2349 2354 7ff60954654d LoadLibraryExW 2352->2354 2353->2349 2354->2351 2354->2352 2405 7ff609541010 2355->2405 2357 7ff60954148a __acrt_iob_func 2408 7ff609541000 2357->2408 2359 7ff6095414a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff609542690 2360->2363 2361 7ff6095426aa malloc 2362 7ff6095426b4 2361->2362 2361->2363 2362->2292 2363->2361 2364 7ff6095426ba 2363->2364 2365 7ff6095426c5 2364->2365 2410 7ff609542b30 2364->2410 2414 7ff609541720 2365->2414 2368 7ff6095426cb 2368->2292 2370 7ff609542688 5 API calls 2369->2370 2371 7ff6095423f5 OpenProcess 2370->2371 2372 7ff609542458 K32GetModuleBaseNameA 2371->2372 2373 7ff60954243b GetLastError 2371->2373 2374 7ff609542470 GetLastError 2372->2374 2375 7ff609542492 2372->2375 2376 7ff609541450 6 API calls 2373->2376 2377 7ff609541450 6 API calls 2374->2377 2431 7ff609541800 2375->2431 2385 7ff609542453 2376->2385 2379 7ff609542484 CloseHandle 2377->2379 2379->2385 2381 7ff6095424ae 2384 7ff6095413c0 6 API calls 2381->2384 2382 7ff6095425b3 CloseHandle 2382->2385 2383 7ff6095425fa 2442 7ff609542660 2383->2442 2386 7ff6095424cf CreateFileA 2384->2386 2385->2383 2387 7ff6095425f3 _invalid_parameter_noinfo_noreturn 2385->2387 2389 7ff60954250f GetLastError 2386->2389 2398 7ff609542543 2386->2398 2387->2383 2391 7ff609541450 6 API calls 2389->2391 2393 7ff609542538 CloseHandle 2391->2393 2392 7ff609542550 MiniDumpWriteDump 2394 7ff609542576 GetLastError 2392->2394 2395 7ff60954258a CloseHandle CloseHandle 2392->2395 2393->2385 2397 7ff60954258c 2394->2397 2394->2398 2395->2385 2399 7ff609541450 6 API calls 2397->2399 2398->2392 2398->2395 2399->2395 2400 7ff6095413c0 __acrt_iob_func 2401 7ff609541010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff6095413fa __acrt_iob_func 2401->2402 2501 7ff609541000 2402->2501 2404 7ff609541412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2303 2409 7ff609541000 2405->2409 2407 7ff609541036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff609542b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff609543f84 2411->2420 2413 7ff609542b4f 2415 7ff60954172e Concurrency::cancel_current_task 2414->2415 2416 7ff609543f84 std::_Xinvalid_argument 2 API calls 2415->2416 2417 7ff60954173f 2416->2417 2425 7ff609543cc0 2417->2425 2421 7ff609543fc0 RtlPcToFileHeader 2420->2421 2422 7ff609543fa3 2420->2422 2423 7ff609543fd8 2421->2423 2424 7ff609543fe7 RaiseException 2421->2424 2422->2421 2423->2424 2424->2413 2426 7ff60954176d 2425->2426 2427 7ff609543ce1 2425->2427 2426->2368 2427->2426 2428 7ff609543cf6 malloc 2427->2428 2429 7ff609543d23 free 2428->2429 2430 7ff609543d07 2428->2430 2429->2426 2430->2429 2432 7ff609541850 2431->2432 2433 7ff609541863 WSAStartup 2431->2433 2434 7ff609541450 6 API calls 2432->2434 2435 7ff60954185c 2433->2435 2441 7ff60954187f 2433->2441 2434->2435 2436 7ff609542660 __GSHandlerCheck_EH 8 API calls 2435->2436 2438 7ff609541d87 2436->2438 2437 7ff609541dd0 2440 7ff609541450 6 API calls 2437->2440 2438->2381 2438->2382 2440->2435 2441->2435 2441->2437 2451 7ff6095420c0 2441->2451 2443 7ff609542669 2442->2443 2444 7ff609541334 2443->2444 2445 7ff6095429c0 IsProcessorFeaturePresent 2443->2445 2444->2303 2444->2400 2446 7ff6095429d8 2445->2446 2496 7ff609542a94 RtlCaptureContext 2446->2496 2452 7ff609542218 2451->2452 2454 7ff6095420e9 2451->2454 2475 7ff6095417e0 2452->2475 2453 7ff609542144 2466 7ff609542690 2453->2466 2454->2453 2457 7ff609542137 2454->2457 2458 7ff60954216c 2454->2458 2456 7ff60954221d 2460 7ff609541720 Concurrency::cancel_current_task 4 API calls 2456->2460 2457->2453 2457->2456 2463 7ff609542690 5 API calls 2458->2463 2464 7ff609542155 BuildCatchObjectHelperInternal 2458->2464 2461 7ff609542223 2460->2461 2462 7ff6095421e0 _invalid_parameter_noinfo_noreturn 2465 7ff6095421d3 BuildCatchObjectHelperInternal 2462->2465 2463->2464 2464->2462 2464->2465 2465->2441 2467 7ff6095426aa malloc 2466->2467 2468 7ff60954269b 2467->2468 2469 7ff6095426b4 2467->2469 2468->2467 2470 7ff6095426ba 2468->2470 2469->2464 2471 7ff6095426c5 2470->2471 2472 7ff609542b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff609541720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff6095426cb 2473->2474 2474->2464 2488 7ff6095434d4 2475->2488 2493 7ff6095433f8 2488->2493 2491 7ff609543f84 std::_Xinvalid_argument 2 API calls 2492 7ff6095434f6 2491->2492 2494 7ff609543cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff60954342c 2494->2495 2495->2491 2497 7ff609542aae RtlLookupFunctionEntry 2496->2497 2498 7ff6095429eb 2497->2498 2499 7ff609542ac4 RtlVirtualUnwind 2497->2499 2500 7ff609542984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2498->2500 2499->2497 2499->2498 2501->2404 2660 7ff609547130 2661 7ff609547168 __GSHandlerCheckCommon 2660->2661 2662 7ff609547194 2661->2662 2664 7ff609543c00 2661->2664 2665 7ff6095443d0 ExFilterRethrow 10 API calls 2664->2665 2666 7ff609543c42 2665->2666 2667 7ff6095443d0 ExFilterRethrow 10 API calls 2666->2667 2668 7ff609543c4f 2667->2668 2669 7ff6095443d0 ExFilterRethrow 10 API calls 2668->2669 2670 7ff609543c58 __GSHandlerCheck_EH 2669->2670 2673 7ff609545414 2670->2673 2674 7ff609545443 __except_validate_context_record 2673->2674 2675 7ff6095443d0 ExFilterRethrow 10 API calls 2674->2675 2676 7ff609545448 2675->2676 2677 7ff609545498 2676->2677 2678 7ff6095455b2 __GSHandlerCheck_EH 2676->2678 2688 7ff609543ca9 2676->2688 2679 7ff60954559f 2677->2679 2681 7ff6095454f3 __GSHandlerCheck_EH 2677->2681 2677->2688 2686 7ff6095455f7 2678->2686 2678->2688 2717 7ff609543bbc 2678->2717 2713 7ff609543678 2679->2713 2683 7ff6095456a2 abort 2681->2683 2685 7ff609545543 2681->2685 2689 7ff609545cf0 2685->2689 2686->2688 2720 7ff6095449a4 2686->2720 2688->2662 2773 7ff609543ba8 2689->2773 2691 7ff609545d40 __GSHandlerCheck_EH 2692 7ff609545d5b 2691->2692 2693 7ff609545d72 2691->2693 2695 7ff6095443d0 ExFilterRethrow 10 API calls 2692->2695 2694 7ff6095443d0 ExFilterRethrow 10 API calls 2693->2694 2696 7ff609545d77 2694->2696 2697 7ff609545d60 2695->2697 2698 7ff609545d6a 2696->2698 2700 7ff6095443d0 ExFilterRethrow 10 API calls 2696->2700 2697->2698 2699 7ff609545fd0 abort 2697->2699 2701 7ff6095443d0 ExFilterRethrow 10 API calls 2698->2701 2702 7ff609545d82 2700->2702 2711 7ff609545d96 __GSHandlerCheck_EH 2701->2711 2703 7ff6095443d0 ExFilterRethrow 10 API calls 2702->2703 2703->2698 2704 7ff609545f92 2705 7ff6095443d0 ExFilterRethrow 10 API calls 2704->2705 2706 7ff609545f97 2705->2706 2707 7ff609545fa2 2706->2707 2708 7ff6095443d0 ExFilterRethrow 10 API calls 2706->2708 2709 7ff609542660 __GSHandlerCheck_EH 8 API calls 2707->2709 2708->2707 2710 7ff609545fb5 2709->2710 2710->2688 2711->2704 2776 7ff609543bd0 2711->2776 2714 7ff60954368a 2713->2714 2715 7ff609545cf0 __GSHandlerCheck_EH 19 API calls 2714->2715 2716 7ff6095436a5 2715->2716 2716->2688 2718 7ff6095443d0 ExFilterRethrow 10 API calls 2717->2718 2719 7ff609543bc5 2718->2719 2719->2686 2721 7ff609544a01 __GSHandlerCheck_EH 2720->2721 2722 7ff609544a09 2721->2722 2723 7ff609544a20 2721->2723 2724 7ff6095443d0 ExFilterRethrow 10 API calls 2722->2724 2725 7ff6095443d0 ExFilterRethrow 10 API calls 2723->2725 2733 7ff609544a0e 2724->2733 2726 7ff609544a25 2725->2726 2728 7ff6095443d0 ExFilterRethrow 10 API calls 2726->2728 2726->2733 2727 7ff609544e99 abort 2729 7ff609544a30 2728->2729 2730 7ff6095443d0 ExFilterRethrow 10 API calls 2729->2730 2730->2733 2731 7ff609544b54 __GSHandlerCheck_EH 2732 7ff609544def 2731->2732 2767 7ff609544b90 __GSHandlerCheck_EH 2731->2767 2732->2727 2747 7ff609544ded 2732->2747 2815 7ff609544ea0 2732->2815 2733->2727 2733->2731 2734 7ff6095443d0 ExFilterRethrow 10 API calls 2733->2734 2736 7ff609544ac0 2734->2736 2735 7ff6095443d0 ExFilterRethrow 10 API calls 2738 7ff609544e30 2735->2738 2740 7ff609544e37 2736->2740 2742 7ff6095443d0 ExFilterRethrow 10 API calls 2736->2742 2738->2727 2738->2740 2739 7ff609544dd4 __GSHandlerCheck_EH 2739->2747 2748 7ff609544e81 2739->2748 2741 7ff609542660 __GSHandlerCheck_EH 8 API calls 2740->2741 2743 7ff609544e43 2741->2743 2744 7ff609544ad0 2742->2744 2743->2688 2745 7ff6095443d0 ExFilterRethrow 10 API calls 2744->2745 2746 7ff609544ad9 2745->2746 2779 7ff609543be8 2746->2779 2747->2735 2749 7ff6095443d0 ExFilterRethrow 10 API calls 2748->2749 2751 7ff609544e86 2749->2751 2753 7ff6095443d0 ExFilterRethrow 10 API calls 2751->2753 2754 7ff609544e8f terminate 2753->2754 2754->2727 2755 7ff6095443d0 ExFilterRethrow 10 API calls 2756 7ff609544b16 2755->2756 2756->2731 2757 7ff6095443d0 ExFilterRethrow 10 API calls 2756->2757 2758 7ff609544b22 2757->2758 2759 7ff6095443d0 ExFilterRethrow 10 API calls 2758->2759 2760 7ff609544b2b 2759->2760 2782 7ff609545fd8 2760->2782 2761 7ff609543bbc 10 API calls BuildCatchObjectHelperInternal 2761->2767 2764 7ff609544b3f 2789 7ff6095460c8 2764->2789 2767->2739 2767->2761 2793 7ff6095452d0 2767->2793 2807 7ff6095448d0 2767->2807 2768 7ff609544e7b terminate 2768->2748 2770 7ff609544b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2770->2768 2771 7ff609543f84 std::_Xinvalid_argument 2 API calls 2770->2771 2772 7ff609544e7a 2771->2772 2772->2768 2774 7ff6095443d0 ExFilterRethrow 10 API calls 2773->2774 2775 7ff609543bb1 2774->2775 2775->2691 2777 7ff6095443d0 ExFilterRethrow 10 API calls 2776->2777 2778 7ff609543bde 2777->2778 2778->2711 2780 7ff6095443d0 ExFilterRethrow 10 API calls 2779->2780 2781 7ff609543bf6 2780->2781 2781->2727 2781->2755 2783 7ff6095460bf abort 2782->2783 2786 7ff609546003 2782->2786 2784 7ff609544b3b 2784->2731 2784->2764 2785 7ff609543bbc 10 API calls BuildCatchObjectHelperInternal 2785->2786 2786->2784 2786->2785 2787 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2786->2787 2831 7ff609545190 2786->2831 2787->2786 2790 7ff609546135 2789->2790 2792 7ff6095460e5 Is_bad_exception_allowed 2789->2792 2790->2770 2791 7ff609543ba8 10 API calls Is_bad_exception_allowed 2791->2792 2792->2790 2792->2791 2794 7ff6095452fd 2793->2794 2805 7ff60954538d 2793->2805 2795 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2794->2795 2796 7ff609545306 2795->2796 2797 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2796->2797 2798 7ff60954531f 2796->2798 2796->2805 2797->2798 2799 7ff60954534c 2798->2799 2800 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2798->2800 2798->2805 2801 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2799->2801 2800->2799 2802 7ff609545360 2801->2802 2803 7ff609545379 2802->2803 2804 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2802->2804 2802->2805 2806 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2803->2806 2804->2803 2805->2767 2806->2805 2808 7ff60954490d __GSHandlerCheck_EH 2807->2808 2809 7ff609544933 2808->2809 2845 7ff60954480c 2808->2845 2811 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2809->2811 2812 7ff609544945 2811->2812 2854 7ff609543838 RtlUnwindEx 2812->2854 2816 7ff609545169 2815->2816 2817 7ff609544ef4 2815->2817 2818 7ff609542660 __GSHandlerCheck_EH 8 API calls 2816->2818 2819 7ff6095443d0 ExFilterRethrow 10 API calls 2817->2819 2820 7ff609545175 2818->2820 2821 7ff609544ef9 2819->2821 2820->2747 2822 7ff609544f60 __GSHandlerCheck_EH 2821->2822 2823 7ff609544f0e EncodePointer 2821->2823 2822->2816 2825 7ff609545189 abort 2822->2825 2828 7ff609544f82 __GSHandlerCheck_EH 2822->2828 2824 7ff6095443d0 ExFilterRethrow 10 API calls 2823->2824 2826 7ff609544f1e 2824->2826 2826->2822 2878 7ff6095434f8 2826->2878 2828->2816 2829 7ff609543ba8 10 API calls Is_bad_exception_allowed 2828->2829 2830 7ff6095448d0 __GSHandlerCheck_EH 21 API calls 2828->2830 2829->2828 2830->2828 2832 7ff60954524c 2831->2832 2833 7ff6095451bd 2831->2833 2832->2786 2834 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2833->2834 2835 7ff6095451c6 2834->2835 2835->2832 2836 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2835->2836 2837 7ff6095451df 2835->2837 2836->2837 2837->2832 2838 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2837->2838 2840 7ff60954520b 2837->2840 2838->2840 2839 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2841 7ff60954521f 2839->2841 2840->2839 2841->2832 2842 7ff609545238 2841->2842 2843 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2841->2843 2844 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2842->2844 2843->2842 2844->2832 2846 7ff60954482f 2845->2846 2857 7ff609544608 2846->2857 2848 7ff609544840 2849 7ff609544881 __AdjustPointer 2848->2849 2850 7ff609544845 __AdjustPointer 2848->2850 2851 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2849->2851 2853 7ff609544864 BuildCatchObjectHelperInternal 2849->2853 2852 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2850->2852 2850->2853 2851->2853 2852->2853 2853->2809 2855 7ff609542660 __GSHandlerCheck_EH 8 API calls 2854->2855 2856 7ff60954394e 2855->2856 2856->2767 2858 7ff609544635 2857->2858 2860 7ff60954463e 2857->2860 2859 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2858->2859 2859->2860 2861 7ff609543ba8 Is_bad_exception_allowed 10 API calls 2860->2861 2862 7ff60954465d 2860->2862 2869 7ff6095446c2 __AdjustPointer BuildCatchObjectHelperInternal 2860->2869 2861->2862 2863 7ff6095446aa 2862->2863 2864 7ff6095446ca 2862->2864 2862->2869 2866 7ff6095447e9 abort abort 2863->2866 2863->2869 2865 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2864->2865 2868 7ff60954474a 2864->2868 2864->2869 2865->2868 2867 7ff60954480c 2866->2867 2870 7ff609544608 BuildCatchObjectHelperInternal 10 API calls 2867->2870 2868->2869 2871 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2868->2871 2869->2848 2872 7ff609544840 2870->2872 2871->2869 2873 7ff609544881 __AdjustPointer 2872->2873 2874 7ff609544845 __AdjustPointer 2872->2874 2875 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2873->2875 2877 7ff609544864 BuildCatchObjectHelperInternal 2873->2877 2876 7ff609543bbc BuildCatchObjectHelperInternal 10 API calls 2874->2876 2874->2877 2875->2877 2876->2877 2877->2848 2879 7ff6095443d0 ExFilterRethrow 10 API calls 2878->2879 2880 7ff609543524 2879->2880 2880->2822 2881 7ff6095443b0 2882 7ff6095443b9 2881->2882 2883 7ff6095443ca 2881->2883 2882->2883 2884 7ff6095443c5 free 2882->2884 2884->2883 3072 7ff609542970 3075 7ff609542da0 3072->3075 3076 7ff609542979 3075->3076 3077 7ff609542dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3075->3077 3077->3076 3078 7ff60954756f 3079 7ff6095443d0 ExFilterRethrow 10 API calls 3078->3079 3080 7ff60954757d 3079->3080 3081 7ff609547588 3080->3081 3082 7ff6095443d0 ExFilterRethrow 10 API calls 3080->3082 3082->3081 3083 7ff609545f75 3091 7ff609545e35 __GSHandlerCheck_EH 3083->3091 3084 7ff609545f92 3085 7ff6095443d0 ExFilterRethrow 10 API calls 3084->3085 3086 7ff609545f97 3085->3086 3087 7ff609545fa2 3086->3087 3088 7ff6095443d0 ExFilterRethrow 10 API calls 3086->3088 3089 7ff609542660 __GSHandlerCheck_EH 8 API calls 3087->3089 3088->3087 3090 7ff609545fb5 3089->3090 3091->3084 3092 7ff609543bd0 __GSHandlerCheck_EH 10 API calls 3091->3092 3092->3091 3093 7ff609547372 3094 7ff6095443d0 ExFilterRethrow 10 API calls 3093->3094 3095 7ff609547389 3094->3095 3096 7ff6095443d0 ExFilterRethrow 10 API calls 3095->3096 3097 7ff6095473a4 3096->3097 3098 7ff6095443d0 ExFilterRethrow 10 API calls 3097->3098 3099 7ff6095473ad 3098->3099 3100 7ff609545414 __GSHandlerCheck_EH 31 API calls 3099->3100 3101 7ff6095473f3 3100->3101 3102 7ff6095443d0 ExFilterRethrow 10 API calls 3101->3102 3103 7ff6095473f8 3102->3103 3104 7ff609541d39 3105 7ff609541d40 3104->3105 3105->3105 3106 7ff609542040 22 API calls 3105->3106 3108 7ff6095418a0 3105->3108 3106->3108 3107 7ff609541d76 3110 7ff609542660 __GSHandlerCheck_EH 8 API calls 3107->3110 3108->3107 3109 7ff609541dd0 3108->3109 3111 7ff6095420c0 21 API calls 3108->3111 3112 7ff609541450 6 API calls 3109->3112 3113 7ff609541d87 3110->3113 3111->3108 3112->3107 3114 7ff60954733c _seh_filter_exe 2891 7ff609542700 2892 7ff609542710 2891->2892 2904 7ff609542bd8 2892->2904 2894 7ff609542797 2895 7ff609542ecc 7 API calls 2894->2895 2903 7ff6095427a5 2894->2903 2896 7ff6095427b5 2895->2896 2897 7ff609542734 _RTC_Initialize 2897->2894 2912 7ff609542e64 InitializeSListHead 2897->2912 2905 7ff609542be9 2904->2905 2906 7ff609542c1b 2904->2906 2907 7ff609542c58 2905->2907 2910 7ff609542bee __scrt_release_startup_lock 2905->2910 2906->2897 2908 7ff609542ecc 7 API calls 2907->2908 2909 7ff609542c62 2908->2909 2910->2906 2911 7ff609542c0b _initialize_onexit_table 2910->2911 2911->2906 3125 7ff6095448c7 abort 2913 7ff609547411 2914 7ff609547495 2913->2914 2915 7ff609547429 2913->2915 2915->2914 2916 7ff6095443d0 ExFilterRethrow 10 API calls 2915->2916 2917 7ff609547476 2916->2917 2918 7ff6095443d0 ExFilterRethrow 10 API calls 2917->2918 2919 7ff60954748b terminate 2918->2919 2919->2914 2920 7ff609543090 2921 7ff6095430c4 2920->2921 2922 7ff6095430a8 2920->2922 2922->2921 2927 7ff6095441c0 2922->2927 2926 7ff6095430e2 2928 7ff6095443d0 ExFilterRethrow 10 API calls 2927->2928 2929 7ff6095430d6 2928->2929 2930 7ff6095441d4 2929->2930 2931 7ff6095443d0 ExFilterRethrow 10 API calls 2930->2931 2932 7ff6095441dd 2931->2932 2932->2926 2939 7ff609547090 2940 7ff6095470d2 __GSHandlerCheckCommon 2939->2940 2941 7ff6095470fa 2940->2941 2943 7ff609543d78 2940->2943 2946 7ff609543da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2943->2946 2944 7ff609543e99 2944->2941 2945 7ff609543e64 RtlUnwindEx 2945->2946 2946->2944 2946->2945 2947 7ff609547290 2948 7ff6095472b0 2947->2948 2949 7ff6095472a3 2947->2949 2951 7ff609541e80 2949->2951 2952 7ff609541e93 2951->2952 2954 7ff609541eb7 2951->2954 2953 7ff609541ed8 _invalid_parameter_noinfo_noreturn 2952->2953 2952->2954 2954->2948 2955 7ff609541510 2956 7ff609543cc0 __std_exception_copy 2 API calls 2955->2956 2957 7ff609541539 2956->2957 3126 7ff609541550 3127 7ff609543d50 __std_exception_destroy free 3126->3127 3128 7ff609541567 3127->3128 3129 7ff6095427d0 3133 7ff609543074 SetUnhandledExceptionFilter 3129->3133

                                                                              Executed Functions

                                                                              Function 00007FF609541060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 7ff609541060-7ff6095410ae 1 7ff609541386-7ff609541394 call 7ff609541450 0->1 2 7ff6095410b4-7ff6095410c6 0->2 7 7ff609541399 1->7 3 7ff6095410d0-7ff6095410d6 2->3 5 7ff6095410dc-7ff6095410df 3->5 6 7ff60954127f-7ff609541283 3->6 9 7ff6095410ed 5->9 10 7ff6095410e1-7ff6095410e5 5->10 6->3 8 7ff609541289-7ff609541299 6->8 11 7ff60954139e-7ff6095413b7 7->11 8->1 12 7ff60954129f-7ff6095412b7 call 7ff609542688 8->12 14 7ff6095410f0-7ff6095410fc 9->14 10->9 13 7ff6095410e7-7ff6095410eb 10->13 25 7ff6095412b9-7ff6095412c9 GetTempPathA 12->25 26 7ff60954132a-7ff609541336 call 7ff6095423c0 12->26 13->9 16 7ff609541104-7ff60954110b 13->16 17 7ff609541110-7ff609541113 14->17 18 7ff6095410fe-7ff609541102 14->18 20 7ff60954127b 16->20 21 7ff609541125-7ff609541136 strcmp 17->21 22 7ff609541115-7ff609541119 17->22 18->14 18->16 20->6 23 7ff609541267-7ff60954126e 21->23 24 7ff60954113c-7ff60954113f 21->24 22->21 27 7ff60954111b-7ff60954111f 22->27 33 7ff609541276 23->33 28 7ff609541151-7ff609541162 strcmp 24->28 29 7ff609541141-7ff609541145 24->29 31 7ff6095412e9-7ff609541302 strcat_s 25->31 32 7ff6095412cb-7ff6095412e7 GetLastError call 7ff609541450 GetLastError 25->32 41 7ff609541338-7ff609541344 call 7ff6095413c0 26->41 42 7ff609541346 26->42 27->21 27->23 36 7ff609541258-7ff609541265 28->36 37 7ff609541168-7ff60954116b 28->37 29->28 34 7ff609541147-7ff60954114b 29->34 39 7ff609541325 31->39 40 7ff609541304-7ff609541312 call 7ff609541450 31->40 52 7ff609541313-7ff609541323 call 7ff609542680 32->52 33->20 34->28 34->36 36->20 43 7ff60954117d-7ff60954118e strcmp 37->43 44 7ff60954116d-7ff609541171 37->44 39->26 40->52 49 7ff60954134b-7ff609541384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff609542680 41->49 42->49 50 7ff609541247-7ff609541256 43->50 51 7ff609541194-7ff609541197 43->51 44->43 48 7ff609541173-7ff609541177 44->48 48->43 48->50 49->11 50->33 56 7ff609541199-7ff60954119d 51->56 57 7ff6095411a5-7ff6095411af 51->57 52->11 56->57 60 7ff60954119f-7ff6095411a3 56->60 61 7ff6095411b0-7ff6095411bb 57->61 60->57 63 7ff6095411c3-7ff6095411d2 60->63 64 7ff6095411d7-7ff6095411da 61->64 65 7ff6095411bd-7ff6095411c1 61->65 63->33 66 7ff6095411ec-7ff6095411f6 64->66 67 7ff6095411dc-7ff6095411e0 64->67 65->61 65->63 69 7ff609541200-7ff60954120b 66->69 67->66 68 7ff6095411e2-7ff6095411e6 67->68 68->20 68->66 70 7ff60954120d-7ff609541211 69->70 71 7ff609541215-7ff609541218 69->71 70->69 72 7ff609541213 70->72 73 7ff609541226-7ff609541237 strcmp 71->73 74 7ff60954121a-7ff60954121e 71->74 72->20 73->20 76 7ff609541239-7ff609541245 atoi 73->76 74->73 75 7ff609541220-7ff609541224 74->75 75->20 75->73 76->20
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                              • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                              • API String ID: 2647627392-2367407095
                                                                              • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                              • Instruction ID: e7ea968b026defae814c7b1d1b5a43722923c93ee4036bf4e930e5402fab4c0c
                                                                              • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                              • Instruction Fuzzy Hash: BEA17161D0CB8245FBE38F23A4402B967A6AB56B5CF285131DA4EC6795DE3CE4A4CF00
                                                                              Function 00007FF6095427EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                              • String ID:
                                                                              • API String ID: 2308368977-0
                                                                              • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                              • Instruction ID: b4ae6e12b109a4617b89594e3c64f2f3a6deaeae2ab38ede2de8d7285763bb09
                                                                              • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                              • Instruction Fuzzy Hash: 45315E21E0C22342FA96AF27A5113BD2293AF4578CF644034F66DC73E7CE2CA865CE51
                                                                              Function 00007FF609541450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                              • String ID: [createdump]
                                                                              • API String ID: 3735572767-2657508301
                                                                              • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                              • Instruction ID: 8edcf581899bae0b0644f0ae752d1c2966cc084a6933b63a7814d60f36a66031
                                                                              • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                              • Instruction Fuzzy Hash: 7C014B21A0CB8183E6419F52F81526AA366EB84BD9F104539EB8D83765DF3CD4A5CB00

                                                                              Non-executed Functions

                                                                              Function 00007FF609542ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                              • String ID:
                                                                              • API String ID: 3140674995-0
                                                                              • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                              • Instruction ID: 3ef39850b35bb8c598abc07188da6f9016058259b3d52eccd7235d5ebb87e774
                                                                              • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                              • Instruction Fuzzy Hash: 30315272618B8186EBA19F61E8403ED7376FB84748F544439DB4E87B98EF38D558CB10
                                                                              Function 00007FF609543074 Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                              • Instruction ID: 44dacf7d0659efa89a577955ebb874ab3e8362f2d4596155997689f6f0156e46
                                                                              • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                              • Instruction Fuzzy Hash: 7DA0022591CC02D0E6D68F12E9541352372FF50308B600531D10DC12B0EF3CA464DB00
                                                                              Function 00007FF6095423C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF60954242D
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF60954243B
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541475
                                                                                • Part of subcall function 00007FF609541450: fprintf.MSPDB140-MSVCRT ref: 00007FF609541485
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541494
                                                                                • Part of subcall function 00007FF609541450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414B3
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414BE
                                                                                • Part of subcall function 00007FF609541450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414C7
                                                                              • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF609542466
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF609542470
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF609542487
                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6095425F3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                              • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                              • API String ID: 3971781330-1292085346
                                                                              • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                              • Instruction ID: ab5ba3586619fe7c6d4767e5cfd7e107e88dd4e797da682db77966b889e84b98
                                                                              • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                              • Instruction Fuzzy Hash: 6561A131A0CA4181EAA19F13E45067A7762FB85798F600130EBAE87BA5DF3CE495DF00
                                                                              Function 00007FF6095449A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 177 7ff6095449a4-7ff609544a07 call 7ff609544518 180 7ff609544a09-7ff609544a12 call 7ff6095443d0 177->180 181 7ff609544a20-7ff609544a29 call 7ff6095443d0 177->181 186 7ff609544e99-7ff609544e9f abort 180->186 187 7ff609544a18-7ff609544a1e 180->187 188 7ff609544a2b-7ff609544a38 call 7ff6095443d0 * 2 181->188 189 7ff609544a3f-7ff609544a42 181->189 187->189 188->189 189->186 190 7ff609544a48-7ff609544a54 189->190 192 7ff609544a56-7ff609544a7d 190->192 193 7ff609544a7f 190->193 195 7ff609544a81-7ff609544a83 192->195 193->195 195->186 198 7ff609544a89-7ff609544a8f 195->198 199 7ff609544b59-7ff609544b6f call 7ff609545724 198->199 200 7ff609544a95-7ff609544a99 198->200 205 7ff609544def-7ff609544df3 199->205 206 7ff609544b75-7ff609544b79 199->206 200->199 202 7ff609544a9f-7ff609544aaa 200->202 202->199 204 7ff609544ab0-7ff609544ab5 202->204 204->199 207 7ff609544abb-7ff609544ac5 call 7ff6095443d0 204->207 210 7ff609544e2b-7ff609544e35 call 7ff6095443d0 205->210 211 7ff609544df5-7ff609544dfc 205->211 206->205 208 7ff609544b7f-7ff609544b8a 206->208 220 7ff609544e37-7ff609544e56 call 7ff609542660 207->220 221 7ff609544acb-7ff609544af1 call 7ff6095443d0 * 2 call 7ff609543be8 207->221 208->205 214 7ff609544b90-7ff609544b94 208->214 210->186 210->220 211->186 212 7ff609544e02-7ff609544e26 call 7ff609544ea0 211->212 212->210 218 7ff609544b9a-7ff609544bd1 call 7ff6095436d0 214->218 219 7ff609544dd4-7ff609544dd8 214->219 218->219 232 7ff609544bd7-7ff609544be2 218->232 219->210 223 7ff609544dda-7ff609544de7 call 7ff609543670 219->223 246 7ff609544b11-7ff609544b1b call 7ff6095443d0 221->246 247 7ff609544af3-7ff609544af7 221->247 235 7ff609544ded 223->235 236 7ff609544e81-7ff609544e98 call 7ff6095443d0 * 2 terminate 223->236 233 7ff609544be6-7ff609544bf6 232->233 237 7ff609544bfc-7ff609544c02 233->237 238 7ff609544d2f-7ff609544dce 233->238 235->210 236->186 237->238 241 7ff609544c08-7ff609544c31 call 7ff6095456a8 237->241 238->219 238->233 241->238 252 7ff609544c37-7ff609544c7e call 7ff609543bbc * 2 241->252 246->199 256 7ff609544b1d-7ff609544b3d call 7ff6095443d0 * 2 call 7ff609545fd8 246->256 247->246 250 7ff609544af9-7ff609544b04 247->250 250->246 253 7ff609544b06-7ff609544b0b 250->253 263 7ff609544cba-7ff609544cd0 call 7ff609545ab0 252->263 264 7ff609544c80-7ff609544ca5 call 7ff609543bbc call 7ff6095452d0 252->264 253->186 253->246 272 7ff609544b3f-7ff609544b49 call 7ff6095460c8 256->272 273 7ff609544b54 256->273 274 7ff609544d2b 263->274 275 7ff609544cd2 263->275 280 7ff609544cd7-7ff609544d26 call 7ff6095448d0 264->280 281 7ff609544ca7-7ff609544cb3 264->281 283 7ff609544e7b-7ff609544e80 terminate 272->283 284 7ff609544b4f-7ff609544e7a call 7ff609544090 call 7ff609545838 call 7ff609543f84 272->284 273->199 274->238 275->252 280->274 281->264 282 7ff609544cb5 281->282 282->263 283->236 284->283
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                              • String ID: csm$csm$csm
                                                                              • API String ID: 695522112-393685449
                                                                              • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                              • Instruction ID: 5c288186854e6434385fbbcad8725404d0677d3a96b94b4a9469340c7e6102b4
                                                                              • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                              • Instruction Fuzzy Hash: 0CE19572A087828AE792DF26D4803AD77E2FB4474CF244135DA9D87765DF38E4A5CB01
                                                                              Function 00007FF6095413C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                              • String ID: [createdump]
                                                                              • API String ID: 3735572767-2657508301
                                                                              • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                              • Instruction ID: 046a7c65088191c527b4f16ec20d696d56cc414f7108350765c180e1860e608c
                                                                              • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                              • Instruction Fuzzy Hash: B6014B31A0CB8183E7419F52F8142AAA362EB84BD9F104535EB8D83765DF7CD4A5CB40
                                                                              Function 00007FF609541800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • WSAStartup.WS2_32 ref: 00007FF60954186C
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541475
                                                                                • Part of subcall function 00007FF609541450: fprintf.MSPDB140-MSVCRT ref: 00007FF609541485
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541494
                                                                                • Part of subcall function 00007FF609541450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414B3
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414BE
                                                                                • Part of subcall function 00007FF609541450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                              • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                              • API String ID: 3378602911-3973674938
                                                                              • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                              • Instruction ID: 57e912705d181dece2a482591f70a76120a64403ca4e445b988d73bfd2c048ea
                                                                              • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                              • Instruction Fuzzy Hash: FE31E362E0CAC186E79A8F17A8557F927A3BB55788F640032EE5D433D1CE3CE1A5CB00
                                                                              Function 00007FF609546498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF60954669F,?,?,?,00007FF60954441E,?,?,?,00007FF6095443D9), ref: 00007FF60954651D
                                                                              • GetLastError.KERNEL32(?,00000000,00007FF60954669F,?,?,?,00007FF60954441E,?,?,?,00007FF6095443D9,?,?,?,?,00007FF609543524), ref: 00007FF60954652B
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00007FF60954669F,?,?,?,00007FF60954441E,?,?,?,00007FF6095443D9,?,?,?,?,00007FF609543524), ref: 00007FF609546555
                                                                              • FreeLibrary.KERNEL32(?,00000000,00007FF60954669F,?,?,?,00007FF60954441E,?,?,?,00007FF6095443D9,?,?,?,?,00007FF609543524), ref: 00007FF60954659B
                                                                              • GetProcAddress.KERNEL32(?,00000000,00007FF60954669F,?,?,?,00007FF60954441E,?,?,?,00007FF6095443D9,?,?,?,?,00007FF609543524), ref: 00007FF6095465A7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                              • String ID: api-ms-
                                                                              • API String ID: 2559590344-2084034818
                                                                              • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                              • Instruction ID: 96bc9fb1d774ce6b88da629a50b72a388d7e9d20befdb9a2f95fda7417bfd0a1
                                                                              • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                              • Instruction Fuzzy Hash: 1F31C821A1B60281FE939F13A8046B522D6FF0AB68FB94535DD1D87784EF3CE4648B00
                                                                              Function 00007FF609541B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 360 7ff609541b18-7ff609541b32 _time64 361 7ff609541b80-7ff609541ba8 360->361 362 7ff609541b34-7ff609541b37 360->362 361->361 364 7ff609541baa-7ff609541bd8 361->364 363 7ff609541b40-7ff609541b68 362->363 363->363 365 7ff609541b6a-7ff609541b71 363->365 366 7ff609541bfa-7ff609541c32 364->366 367 7ff609541bda-7ff609541bf5 call 7ff609541ee0 364->367 365->364 369 7ff609541c64-7ff609541c78 call 7ff609542230 366->369 370 7ff609541c34-7ff609541c43 366->370 367->366 377 7ff609541c7d-7ff609541c88 369->377 373 7ff609541c48-7ff609541c62 call 7ff6095468c0 370->373 374 7ff609541c45 370->374 373->377 374->373 379 7ff609541cbb-7ff609541cde 377->379 380 7ff609541c8a-7ff609541c98 377->380 383 7ff609541d55-7ff609541d70 379->383 381 7ff609541c9a-7ff609541cad 380->381 382 7ff609541cb3-7ff609541cb6 call 7ff609542680 380->382 381->382 384 7ff609541da2-7ff609541dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff609541450 call 7ff609542680 381->384 382->379 388 7ff609541d76 383->388 389 7ff6095418a0-7ff6095418a3 383->389 391 7ff609541d78-7ff609541da1 call 7ff609542660 384->391 388->391 392 7ff6095418a5-7ff6095418b7 389->392 393 7ff6095418f3-7ff6095418fe 389->393 398 7ff6095418b9-7ff6095418c8 392->398 399 7ff6095418e2-7ff6095418ee call 7ff6095420c0 392->399 395 7ff609541dd0-7ff609541dde call 7ff609541450 393->395 396 7ff609541904-7ff609541915 393->396 395->391 396->383 404 7ff6095418cd-7ff6095418dd 398->404 405 7ff6095418ca 398->405 399->383 404->383 405->404
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: _time64
                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                              • API String ID: 1670930206-4114407318
                                                                              • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                              • Instruction ID: ef702ed6e4e04b88c9dfffe82521144a71f59719181e4aeb8543649b13397b08
                                                                              • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                              • Instruction Fuzzy Hash: 00510572A18B8186EB41CF2AE4803AD77A2FB517C8F600131EA5D57BA9DF3CD051DB40
                                                                              Function 00007FF609544EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: EncodePointerabort
                                                                              • String ID: MOC$RCC
                                                                              • API String ID: 1188231555-2084237596
                                                                              • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                              • Instruction ID: 060663468f7f7938e2f435c006313ce6e48308b1a472f78ab03d275223d8a945
                                                                              • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                              • Instruction Fuzzy Hash: D0919373A08B828AE752CF66E4402AD77B1F74578CF244129EB8D97755DF38D1A6CB00
                                                                              Function 00007FF609545414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 459 7ff609545414-7ff609545461 call 7ff6095463f4 call 7ff6095443d0 464 7ff60954548e-7ff609545492 459->464 465 7ff609545463-7ff609545469 459->465 466 7ff609545498-7ff60954549b 464->466 467 7ff6095455b2-7ff6095455c7 call 7ff609545724 464->467 465->464 468 7ff60954546b-7ff60954546e 465->468 469 7ff6095454a1-7ff6095454d1 466->469 470 7ff609545680 466->470 480 7ff6095455c9-7ff6095455cc 467->480 481 7ff6095455d2-7ff6095455d8 467->481 472 7ff609545480-7ff609545483 468->472 473 7ff609545470-7ff609545474 468->473 469->470 475 7ff6095454d7-7ff6095454de 469->475 476 7ff609545685-7ff6095456a1 470->476 472->464 474 7ff609545485-7ff609545488 472->474 473->474 478 7ff609545476-7ff60954547e 473->478 474->464 474->470 475->470 479 7ff6095454e4-7ff6095454e8 475->479 478->464 478->472 482 7ff60954559f-7ff6095455ad call 7ff609543678 479->482 483 7ff6095454ee-7ff6095454f1 479->483 480->470 480->481 484 7ff609545647-7ff60954567b call 7ff6095449a4 481->484 485 7ff6095455da-7ff6095455de 481->485 482->470 487 7ff609545556-7ff609545559 483->487 488 7ff6095454f3-7ff609545508 call 7ff609544520 483->488 484->470 485->484 490 7ff6095455e0-7ff6095455e7 485->490 487->482 491 7ff60954555b-7ff609545563 487->491 497 7ff6095456a2-7ff6095456a7 abort 488->497 501 7ff60954550e-7ff609545511 488->501 490->484 494 7ff6095455e9-7ff6095455f0 490->494 496 7ff609545569-7ff609545593 491->496 491->497 494->484 495 7ff6095455f2-7ff609545605 call 7ff609543bbc 494->495 495->484 506 7ff609545607-7ff609545645 495->506 496->497 500 7ff609545599-7ff60954559d 496->500 503 7ff609545546-7ff609545551 call 7ff609545cf0 500->503 504 7ff60954553a-7ff60954553d 501->504 505 7ff609545513-7ff609545538 501->505 503->470 504->497 507 7ff609545543 504->507 505->504 506->476 507->503
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __except_validate_context_recordabort
                                                                              • String ID: csm$csm
                                                                              • API String ID: 746414643-3733052814
                                                                              • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                              • Instruction ID: 11adc9fdc5b2bb3b88892437d7e9e181041fbd3634d4953f8cbd936f513455c1
                                                                              • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                              • Instruction Fuzzy Hash: 0F71B5325086818BD7A24F26A04077D7BA2FB45B9DF248135EA8D8BB85DF3CD462CF40
                                                                              Function 00007FF60954195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                              • API String ID: 0-4114407318
                                                                              • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                              • Instruction ID: d31c9b9b6b919afaf65a7ff005b82fe31f20675a264f1e2e156d5c9325383809
                                                                              • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                              • Instruction Fuzzy Hash: 50511772A1CB8542E741CF2AE4447AA6762FB917D4F600135EA9D47BE9CF3CD091DB40
                                                                              Function 00007FF609545860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFrameInfo__except_validate_context_record
                                                                              • String ID: csm
                                                                              • API String ID: 2558813199-1018135373
                                                                              • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                              • Instruction ID: 486a7150b2cd1fc7490c2e7e73339bbee940555872ea064fdfab63ac22a3cf88
                                                                              • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                              • Instruction Fuzzy Hash: B251397261974286D6A1AF16F04026E77F5FB89B98F240134EA8D87B56DF78E4B1CF00
                                                                              Function 00007FF6095417E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6095417EB
                                                                              • WSAStartup.WS2_32 ref: 00007FF60954186C
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541475
                                                                                • Part of subcall function 00007FF609541450: fprintf.MSPDB140-MSVCRT ref: 00007FF609541485
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF609541494
                                                                                • Part of subcall function 00007FF609541450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414B3
                                                                                • Part of subcall function 00007FF609541450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414BE
                                                                                • Part of subcall function 00007FF609541450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6095414C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                              • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                              • API String ID: 1412700758-3183687674
                                                                              • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                              • Instruction ID: a936c6fd429e7443a46b7767777ef989024297fd6bc66f4c4d12478f0112de9d
                                                                              • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                              • Instruction Fuzzy Hash: 1001B122A1898195F7A29F13EC927EA6350BB9879CF200036EE4C47761CE3CD4A6CB00
                                                                              Function 00007FF609541CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastgethostname
                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                              • API String ID: 3782448640-4114407318
                                                                              • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                              • Instruction ID: 2e340b0e7421a630760e98ede1a15731546ebd063fcf561d73fd43deb1ccd7c1
                                                                              • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                              • Instruction Fuzzy Hash: C411A711A0D54245E6CA9F23B8507FA22529F867ACF201135EA6F973D6DD3CD0A29B40
                                                                              Function 00007FF609544158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: terminate
                                                                              • String ID: MOC$RCC$csm
                                                                              • API String ID: 1821763600-2671469338
                                                                              • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                              • Instruction ID: 639f0fb2470768debf16d61a001dbe455562b9f1ba66bb960b22a2956b220328
                                                                              • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                              • Instruction Fuzzy Hash: C0F08C3694C24681E3A65F52B14126C76E6EF58B4CF286031D709863A2CF7CE4B0CE02
                                                                              Function 00007FF6095420C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6095418EE), ref: 00007FF6095421E0
                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF60954221E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                              • String ID: Invalid process id '%d' error %d
                                                                              • API String ID: 73155330-4244389950
                                                                              • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                              • Instruction ID: 8bf408e4243f58f0b910c22f49b8b39ab0a45879dd683678a67e1a149dd78f3f
                                                                              • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                              • Instruction Fuzzy Hash: A931042270D79286EE568F1795443BD63A2AB05BD8F280631EF6D4BBD5CE7CE0A08700
                                                                              Function 00007FF609543F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF60954173F), ref: 00007FF609543FC8
                                                                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF60954173F), ref: 00007FF60954400E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.1789802338.00007FF609541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF609540000, based on PE: true
                                                                              • Associated: 00000006.00000002.1789782135.00007FF609540000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789825044.00007FF609548000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789931581.00007FF60954C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000006.00000002.1789948808.00007FF60954D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_7ff609540000_createdump.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFileHeaderRaise
                                                                              • String ID: csm
                                                                              • API String ID: 2573137834-1018135373
                                                                              • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                              • Instruction ID: 9281ee1c0e007dd91691a024319be45621437539f949d8634fff295cc44928b6
                                                                              • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                              • Instruction Fuzzy Hash: D1111F32618B4192EB618F16F94026977A5FB88B98F284231EF8D47B68DF3DD565CB00

                                                                              Non-executed Functions

                                                                              Function 00007FF71D012A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
                                                                              • String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
                                                                              • API String ID: 2783795328-2826353358
                                                                              • Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                              • Instruction ID: 40f625fc6e7783a8f2e458b9abd54b67f034046886c5a70168c8a85c2d0c77cb
                                                                              • Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                              • Instruction Fuzzy Hash: A6A18F61B0CE8296EB15EB31D4913FCA360FB58798FC04136EA4D47695FF6CE2588B50
                                                                              Function 00007FF71D012EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
                                                                              • String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
                                                                              • API String ID: 4192084208-164389310
                                                                              • Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                              • Instruction ID: 2345c55f6c304be68a395c4152b3789d287535c699af4b6d8ce4cb9311eb231f
                                                                              • Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                              • Instruction Fuzzy Hash: 90E18F22A0CE8286EB21EF61D8543ADA7B1FB89BA4F844135DE0D57754FF3CE1498B10
                                                                              Function 00007FF71D013C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                              • String ID:
                                                                              • API String ID: 313767242-0
                                                                              • Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                              • Instruction ID: 8f35a7b02915f526c129fb0356253a7dc347318ba30f171668878890ce9bf5bd
                                                                              • Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                              • Instruction Fuzzy Hash: 96310A62609E8286EB60AF60E8543EDA360FB84754F844039DA4D47A98FF39D64CCB20
                                                                              Function 00007FF71D0125C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00007FF71D012570: printf.MSPDB140-MSVCRT ref: 00007FF71D012587
                                                                                • Part of subcall function 00007FF71D012530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF71D012617,?,?,?,00007FF71D011BD6,?,?,?,00007FF71D011A02), ref: 00007FF71D012552
                                                                              • puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF71D011BD6,?,?,?,00007FF71D011A02), ref: 00007FF71D0128DF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: atoiprintfputs
                                                                              • String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
                                                                              • API String ID: 3402752964-4246942696
                                                                              • Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                              • Instruction ID: e0cea911b15e6c875deb23120d59500664acb7b5d0d2b87aa6da8b24318fec30
                                                                              • Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                              • Instruction Fuzzy Hash: B5815DA490CE5691FA14FB61A6994F8A3A1EF09BE4FC50032DD0D07695BF3DE10ECB60
                                                                              Function 00007FF71D011C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
                                                                              • String ID: Error allocating memory for output$Error writing to '%s', %s
                                                                              • API String ID: 2637689336-4070097938
                                                                              • Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                              • Instruction ID: c3a4a7d62291a36f51afad629f5c715f501ff8b145e8ada3280949554687a5bd
                                                                              • Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                              • Instruction Fuzzy Hash: D9A14132A1DE8685D755EF61E4403EDA360FB48B98F880135DE8D0B759FF78E1498B21
                                                                              Function 00007FF71D011A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71D011A6D
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01204A
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012065
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012080
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01209B
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D0120B6
                                                                              • avformat_network_init.AVFORMAT-60 ref: 00007FF71D011A85
                                                                              • av_guess_format.AVFORMAT-60 ref: 00007FF71D011AAF
                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71D011ABC
                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF71D011AD0
                                                                              • avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF71D011AEC
                                                                              • av_strerror.AVUTIL-58 ref: 00007FF71D011B19
                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71D011B23
                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF71D011B38
                                                                                • Part of subcall function 00007FF71D012910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF71D011B4C), ref: 00007FF71D012939
                                                                                • Part of subcall function 00007FF71D012370: avcodec_free_context.AVCODEC-60 ref: 00007FF71D012388
                                                                                • Part of subcall function 00007FF71D012370: av_free.AVUTIL-58 ref: 00007FF71D0123B1
                                                                                • Part of subcall function 00007FF71D012370: avio_context_free.AVFORMAT-60 ref: 00007FF71D0123BD
                                                                                • Part of subcall function 00007FF71D012370: avformat_free_context.AVFORMAT-60 ref: 00007FF71D0123CC
                                                                                • Part of subcall function 00007FF71D012370: avcodec_free_context.AVCODEC-60 ref: 00007FF71D012402
                                                                                • Part of subcall function 00007FF71D012370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71D012415
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
                                                                              • String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
                                                                              • API String ID: 3777911973-2524251934
                                                                              • Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                              • Instruction ID: 49cb5be898d41b35fa833e475a7b85fc71c5b08e1d67529f5c01ca56e9453dfc
                                                                              • Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                              • Instruction Fuzzy Hash: 3231E211A1CE4382FA64BB25A4412BDE360AF897B4FD01331E94D0B2D2FE2CE54C8F21
                                                                              Function 00007FF71D0114B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
                                                                              • String ID: 2$Couldn't find codec '%s'$E
                                                                              • API String ID: 3726879996-2734579634
                                                                              • Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                              • Instruction ID: a1c69523c6726bdf5913cfdb3331471714368d5a91bb60ec55841b21d6be50f2
                                                                              • Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                              • Instruction Fuzzy Hash: 1B81F372609B80CBD754DF25E54435DBBB0F789B98F50412AEB8C87B58EB7AD858CB00
                                                                              Function 00007FF71D011250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
                                                                              • String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
                                                                              • API String ID: 3715327632-3279048111
                                                                              • Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                              • Instruction ID: 937f4d3c0d02644dcee8b02a566bf787d0c7bb6665b12e59acfc0ca8a6eb9713
                                                                              • Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                              • Instruction Fuzzy Hash: D761BF72609B8586DB09DF16E4903ADB760FB88BA8F454135DF4D07794EF78E059CB10
                                                                              Function 00007FF71D0117A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
                                                                              • String ID:
                                                                              • API String ID: 3736584056-0
                                                                              • Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                              • Instruction ID: 37cab8f24b9a71fe9d3d581eb7b05a3e9a3bb9c894c9203669eefe0c0b875ada
                                                                              • Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                              • Instruction Fuzzy Hash: C0313D22A0CE8281E755FF30C4513FCA361FF94B58F884131DE4D4A19AFF28E5898B61
                                                                              Function 00007FF71D012030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01204A
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012065
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012080
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01209B
                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D0120B6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: strncmp
                                                                              • String ID: http$rist$srt$tcp$udp
                                                                              • API String ID: 1114863663-504309389
                                                                              • Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                              • Instruction ID: 50d2eff3dacb9d2904a7f8f1d192ac253d806c9e1c279bcccf10c3c32b30faf4
                                                                              • Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                              • Instruction Fuzzy Hash: 42012A91B1CD1381FB626B22E4853285370AF49BB9FC85135C90D4B250FE2EE65DCB30
                                                                              Function 00007FF71D012160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
                                                                              • String ID:
                                                                              • API String ID: 2918620995-0
                                                                              • Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                              • Instruction ID: 1e79c16e8cff9fd93a0fb5ea87783d9c627d68388a97786887b93abed803b2aa
                                                                              • Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                              • Instruction Fuzzy Hash: CF41457261CE8681D611EF21E4513ADA764FB95BE8F840131EF8D07B5AEF3CE1988B10
                                                                              Function 00007FF71D0135E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                                              • String ID:
                                                                              • API String ID: 1184979102-0
                                                                              • Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                              • Instruction ID: 4cfe20680d55bd052a05ab3351f3f9837a6d8ad39127d199d7222c5c96694551
                                                                              • Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                              • Instruction Fuzzy Hash: A8311821A0CE4382FA14BB2594553B9E391AF457A4FC44039EA4D5B2E7FE2DF84C8E30
                                                                              Function 00007FF71D012370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • avcodec_free_context.AVCODEC-60 ref: 00007FF71D012388
                                                                              • avformat_free_context.AVFORMAT-60 ref: 00007FF71D0123CC
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01204A
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012065
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D012080
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D01209B
                                                                                • Part of subcall function 00007FF71D012030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF71D0123A2), ref: 00007FF71D0120B6
                                                                              • av_free.AVUTIL-58 ref: 00007FF71D0123B1
                                                                              • avio_context_free.AVFORMAT-60 ref: 00007FF71D0123BD
                                                                              • avio_close.AVFORMAT-60 ref: 00007FF71D0123C4
                                                                              • avcodec_free_context.AVCODEC-60 ref: 00007FF71D012402
                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71D012415
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
                                                                              • String ID:
                                                                              • API String ID: 1086289117-0
                                                                              • Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                              • Instruction ID: 7dfe0c8cf6d60d1e45bde3a9294696fc6be29f9a32bc4a4245e74cfedbf5e9df
                                                                              • Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                              • Instruction Fuzzy Hash: C0219562E0CE5282EB11FF25E09137CA360FF44F54F855632EA4D47245EF38D4598B21
                                                                              Function 00007FF71D012990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • avformat_new_stream.AVFORMAT-60(?,?,?,00007FF71D0112F1), ref: 00007FF71D0129AD
                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF71D0112F1), ref: 00007FF71D0129C0
                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF71D0129D3
                                                                                • Part of subcall function 00007FF71D012320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF71D0129D8,?,?,?,00007FF71D0112F1), ref: 00007FF71D012357
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1790556344.00007FF71D011000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF71D010000, based on PE: true
                                                                              • Associated: 00000009.00000002.1790543046.00007FF71D010000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790574184.00007FF71D015000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790588551.00007FF71D016000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1790606196.00007FF71D019000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff71d010000_obs-ffmpeg-mux.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
                                                                              • String ID: Couldn't create stream for encoder '%s'
                                                                              • API String ID: 306180413-3485626053
                                                                              • Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                              • Instruction ID: bba6298aa0468c3ed7a6b0ce33dea1b211744decc31d653a7de89d1625a26a67
                                                                              • Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                              • Instruction Fuzzy Hash: D0F06D72A19B8181EA49DB16F451069A7A0FB8CBE0B889135EE4D07719FE3CD555CB00